Full_Name: Jonathan Price Version: 2.4.40 OS: FreeBSD 10.1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.47.105.54) I have compiled version 2.4.40 with the SHA2 module enabled. I then run the slappasswd with the following arguments: slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o module-load=pw-sha2 This works successfully, and in this example I used the word "test" and it produced the following output: {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w== However, if I replace {SHA512} with {SSHA512} it produces the following output: Password verification failed. I have tested SHA256 SHA384 and SHA512. All three of these work fine. All three of SSHA256, SSHA384 and SSHA512 do not work however. It appears that there is an issue with slappasswd and salted SHA2 hashes. I have checked that 2.4.40 is new enough to have a version of the SHA2 overlay, and also checked the source to make sure it was definitely a new enough version, and can confirm that it is. Unfortunately, beyond this basic level of checking, I'm not a C programmer so I can't investigate the issue further myself.
--On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org wrote: > Full_Name: Jonathan Price > Version: 2.4.40 > OS: FreeBSD 10.1 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (80.47.105.54) > > > I have compiled version 2.4.40 with the SHA2 module enabled. > > I then run the slappasswd with the following arguments: > slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o > module-load=pw-sha2 You requested a non salted hash -> SHA512 Did you try requesting a salted hash? -> SSHA512 Works fine for me, and I've been using it in production for quite some time. [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o module-load=pw-sha2 -s test {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
changed notes changed state Open to Closed
Hi, From the original email: However, if I replace {SHA512} with {SSHA512} it produces the following output: Password verification failed. It's interesting to see that it does work under certain conditions then. It appears that your OpenLDAP installation is part of a Zimbra installation. Does Zimbra make any modifications to OpenLDAP, or is it just built on top of it? Either way, I think I'm going to try it on Debian, just to rule out it being a FreeBSD issue, which it quite well could be at this point. On 2015-01-13 19:01, Quanah Gibson-Mount wrote: > --On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org > wrote: > >> Full_Name: Jonathan Price >> Version: 2.4.40 >> OS: FreeBSD 10.1 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (80.47.105.54) >> >> >> I have compiled version 2.4.40 with the SHA2 module enabled. >> >> I then run the slappasswd with the following arguments: >> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o >> module-load=pw-sha2 > > You requested a non salted hash -> SHA512 > > Did you try requesting a salted hash? -> SSHA512 > > Works fine for me, and I've been using it in production for quite some > time. > > [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h > '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o > module-load=pw-sha2 -s test > {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 > > > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price <freebsd@jonathanprice.org> wrote: > Hi, > > From the original email: > However, if I replace {SHA512} with {SSHA512} it produces the following > output: > Password verification failed. > > It's interesting to see that it does work under certain conditions then. > It appears that your OpenLDAP installation is part of a Zimbra > installation. Does Zimbra make any modifications to OpenLDAP, or is it > just built on top of it? > > Either way, I think I'm going to try it on Debian, just to rule out it > being a FreeBSD issue, which it quite well could be at this point. We make a few modifications to OpenLDAP, but nothing affecting the pw-sha2 module, which we use as-is. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price <freebsd@jonathanprice.org> wrote: > Hi, > > From the original email: > However, if I replace {SHA512} with {SSHA512} it produces the following > output: > Password verification failed. You also were not clear *where* you did this replacement. It is certainly not valid to do this replacement on the generated hash, as the generated has was non-salted, and just adding another S in there will not magically make it salted. It is valid to do this replacement in the slappasswd line when generating a hash, as per my example, so that a salted hash is generated. --Quanah > It's interesting to see that it does work under certain conditions then. > It appears that your OpenLDAP installation is part of a Zimbra > installation. Does Zimbra make any modifications to OpenLDAP, or is it > just built on top of it? > > Either way, I think I'm going to try it on Debian, just to rule out it > being a FreeBSD issue, which it quite well could be at this point. > > On 2015-01-13 19:01, Quanah Gibson-Mount wrote: >> --On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org >> wrote: >> >>> Full_Name: Jonathan Price >>> Version: 2.4.40 >>> OS: FreeBSD 10.1 >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (80.47.105.54) >>> >>> >>> I have compiled version 2.4.40 with the SHA2 module enabled. >>> >>> I then run the slappasswd with the following arguments: >>> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o >>> module-load=pw-sha2 >> >> You requested a non salted hash -> SHA512 >> >> Did you try requesting a salted hash? -> SSHA512 >> >> Works fine for me, and I've been using it in production for quite some >> time. >> >> [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h >> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o >> module-load=pw-sha2 -s test >> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5 >> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 >> >> >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Platform Architect >> Zimbra, Inc. >> -------------------- >> Zimbra :: the leader in open source messaging and collaboration -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I do apologise for the confusion, I'll try to clarify below: Here is the command you ran successfully: /opt/zimbra/openldap/sbin/slappasswd -h '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o module-load=pw-sha2 -s test {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5 Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 Here is an example of me running just a plain SHA512 slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o module-load=pw-sha2 {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w== And here is an example of me running a salted SHA512 (SSHA512) slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o module-load=pw-sha2 -s test Password verification failed. I hope this helps to clarify. On 2015-01-13 19:14, Quanah Gibson-Mount wrote: > --On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price > <freebsd@jonathanprice.org> wrote: > >> Hi, >> >> From the original email: >> However, if I replace {SHA512} with {SSHA512} it produces the following >> output: >> Password verification failed. > > You also were not clear *where* you did this replacement. It is > certainly not valid to do this replacement on the generated hash, as the > generated has was non-salted, and just adding another S in there will > not magically make it salted. It is valid to do this replacement in the > slappasswd line when generating a hash, as per my example, so that a > salted hash is generated. > > --Quanah > > >> It's interesting to see that it does work under certain conditions then. >> It appears that your OpenLDAP installation is part of a Zimbra >> installation. Does Zimbra make any modifications to OpenLDAP, or is it >> just built on top of it? >> >> Either way, I think I'm going to try it on Debian, just to rule out it >> being a FreeBSD issue, which it quite well could be at this point. >> >> On 2015-01-13 19:01, Quanah Gibson-Mount wrote: >>> --On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org >>> wrote: >>> >>>> Full_Name: Jonathan Price >>>> Version: 2.4.40 >>>> OS: FreeBSD 10.1 >>>> URL: ftp://ftp.openldap.org/incoming/ >>>> Submission from: (NULL) (80.47.105.54) >>>> >>>> >>>> I have compiled version 2.4.40 with the SHA2 module enabled. >>>> >>>> I then run the slappasswd with the following arguments: >>>> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o >>>> module-load=pw-sha2 >>> >>> You requested a non salted hash -> SHA512 >>> >>> Did you try requesting a salted hash? -> SSHA512 >>> >>> Works fine for me, and I've been using it in production for quite some >>> time. >>> >>> [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h >>> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o >>> module-load=pw-sha2 -s test >>> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5 >>> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 >>> >>> >>> >>> --Quanah >>> >>> -- >>> >>> Quanah Gibson-Mount >>> Platform Architect >>> Zimbra, Inc. >>> -------------------- >>> Zimbra :: the leader in open source messaging and collaboration > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, January 13, 2015 7:24 PM +0000 Jonathan Price <freebsd@jonathanprice.org> wrote: > I do apologise for the confusion, I'll try to clarify below: > > Here is the command you ran successfully: > /opt/zimbra/openldap/sbin/slappasswd -h > '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o > module-load=pw-sha2 -s test > {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5 > Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 > > Here is an example of me running just a plain SHA512 > slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o > module-load=pw-sha2 > {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUN > zLDBMxfqa2Ob1f1ACio/w== > > And here is an example of me running a salted SHA512 (SSHA512) > slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o > module-load=pw-sha2 -s test > Password verification failed. > > I hope this helps to clarify. Yes, thank you. So I'm using 2.4.39. There were some minor changes to slapd-sha2 in 2.4.40. I will see if I can reproduce the issue with current RE24. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
changed notes changed state Closed to Open
Hi, I tried 2.4.39 under FreeBSD and still had the same issue. I have also tried the packages for both CentOS 7 and Debian Wheezy, but unfortunately neither of them include the SHA2 overlay by default. Finally, I tried installing zimbra-core and zimbra-ldap under CentOS. When I used this installation, it worked successfully. I ran slapd -V on the zimbra installation, and it's 2.4.39. However, based on it still not working on 2.4.39 on FreeBSD it appears to have narrowed it down to two reasons: - An issue with the packaging under FreeBSD - The functionality is specific to Zimbra The next step in the process to narrow this down is to do a manual compilation on CentOS, including the SHA2 overlay. If this works, then it would confirm it to be a FreeBSD issue, and if it doesn't work that would strongly suggest that Zimbra has modified something. Thanks for the assistance so far, -Jonathan January 13 2015 8:00 PM, "Quanah Gibson-Mount" <quanah@zimbra.com> wrote: > --On Tuesday, January 13, 2015 7:24 PM +0000 Jonathan Price > <freebsd@jonathanprice.org> wrote: > >> I do apologise for the confusion, I'll try to clarify below: >> >> Here is the command you ran successfully: >> /opt/zimbra/openldap/sbin/slappasswd -h >> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o >> module-load=pw-sha2 -s test >> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5 >> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 >> >> Here is an example of me running just a plain SHA512 >> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o >> module-load=pw-sha2 >> {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUN >> zLDBMxfqa2Ob1f1ACio/w== >> >> And here is an example of me running a salted SHA512 (SSHA512) >> slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o >> module-load=pw-sha2 -s test >> Password verification failed. >> >> I hope this helps to clarify. > > Yes, thank you. So I'm using 2.4.39. There were some minor changes to > slapd-sha2 in 2.4.40. I will see if I can reproduce the issue with current > RE24. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > _______________________________ > > Zimbra :: the leader in open source messaging and collaboration
--On Wednesday, January 14, 2015 11:00 AM +0000 freebsd@jonathanprice.org wrote: > Hi, > > I tried 2.4.39 under FreeBSD and still had the same issue. > > I have also tried the packages for both CentOS 7 and Debian Wheezy, but > unfortunately neither of them include the SHA2 overlay by default. > > Finally, I tried installing zimbra-core and zimbra-ldap under CentOS. > When I used this installation, it worked successfully. > > I ran slapd -V on the zimbra installation, and it's 2.4.39. However, > based on it still not working on 2.4.39 on FreeBSD it appears to have > narrowed it down to two reasons: - An issue with the packaging under > FreeBSD > - The functionality is specific to Zimbra > > The next step in the process to narrow this down is to do a manual > compilation on CentOS, including the SHA2 overlay. If this works, then it > would confirm it to be a FreeBSD issue, and if it doesn't work that would > strongly suggest that Zimbra has modified something. You could simply grab the LTB project builds. I'm pretty sure they build out the contrib modules. In any case, I already noted that Zimbra doesn't patch anything in OpenLDAP that would affect this area. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Sorry for the slow response, but I have made some progress with the issue. (as an aside, I installed a build from LTB, and unfortunately it does not contain this overlay) I have detailed my findings (including some trawling through the source) over on the FreeBSD bug tracker, as I suspect it could well be a platform related issue. Nonetheless, it might be worth reading: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197004 January 14 2015 4:31 PM, "Quanah Gibson-Mount" <quanah@zimbra.com> wrote: > --On Wednesday, January 14, 2015 11:00 AM +0000 freebsd@jonathanprice.org > wrote: > >> Hi, >> >> I tried 2.4.39 under FreeBSD and still had the same issue. >> >> I have also tried the packages for both CentOS 7 and Debian Wheezy, but >> unfortunately neither of them include the SHA2 overlay by default. >> >> Finally, I tried installing zimbra-core and zimbra-ldap under CentOS. >> When I used this installation, it worked successfully. >> >> I ran slapd -V on the zimbra installation, and it's 2.4.39. However, >> based on it still not working on 2.4.39 on FreeBSD it appears to have >> narrowed it down to two reasons: - An issue with the packaging under >> FreeBSD >> - The functionality is specific to Zimbra >> >> The next step in the process to narrow this down is to do a manual >> compilation on CentOS, including the SHA2 overlay. If this works, then it >> would confirm it to be a FreeBSD issue, and if it doesn't work that would >> strongly suggest that Zimbra has modified something. > > You could simply grab the LTB project builds. I'm pretty sure they build > out the contrib modules. > > In any case, I already noted that Zimbra doesn't patch anything in OpenLDAP > that would affect this area. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > _______________________________ > > Zimbra :: the leader in open source messaging and collaboration
quanah@zimbra.com wrote: > --On Tuesday, January 13, 2015 7:24 PM +0000 Jonathan Price > <freebsd@jonathanprice.org> wrote: > >> I do apologise for the confusion, I'll try to clarify below: >> >> Here is the command you ran successfully: >> /opt/zimbra/openldap/sbin/slappasswd -h >> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o >> module-load=pw-sha2 -s test >> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5 >> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9 >> >> Here is an example of me running just a plain SHA512 >> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o >> module-load=pw-sha2 >> {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUN >> zLDBMxfqa2Ob1f1ACio/w== >> >> And here is an example of me running a salted SHA512 (SSHA512) >> slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o >> module-load=pw-sha2 -s test >> Password verification failed. >> >> I hope this helps to clarify. > > Yes, thank you. So I'm using 2.4.39. There were some minor changes to > slapd-sha2 in 2.4.40. I will see if I can reproduce the issue with current > RE24. I have a FreeBSD 9 VM here with 2.4.40 installed from ports. Both SHA512 and SSHA512 work fine on it. Doesn't look to me like there's any OpenLDAP bug here, this is one for the FreeBSD folks to sort out. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
I have now made progress in narrowing down the cause further. I have noticed that it is a regression between FreeBSD 9.x -> FreeBSD 10.x. For this reason, I will move any updates on this to the FreeBSD bug tracker, rather than the OpenLDAP one, as the bug is platform specific. Future news will be posted here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197004 Thank you for your time, -Jonathan January 22 2015 2:25 PM, freebsd@jonathanprice.org wrote: > Sorry for the slow response, but I have made some progress with the issue. > > (as an aside, I installed a build from LTB, and unfortunately it does not > contain this overlay) > > I have detailed my findings (including some trawling through the source) > over on the FreeBSD bug tracker, as I suspect it could well be a platform > related issue. Nonetheless, it might be worth reading: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197004 > > January 14 2015 4:31 PM, "Quanah Gibson-Mount" <quanah@zimbra.com> wrote: > >> --On Wednesday, January 14, 2015 11:00 AM +0000 freebsd@jonathanprice.org >> wrote: >> >>> Hi, >>> >>> I tried 2.4.39 under FreeBSD and still had the same issue. >>> >>> I have also tried the packages for both CentOS 7 and Debian Wheezy, but >>> unfortunately neither of them include the SHA2 overlay by default. >>> >>> Finally, I tried installing zimbra-core and zimbra-ldap under CentOS. >>> When I used this installation, it worked successfully. >>> >>> I ran slapd -V on the zimbra installation, and it's 2.4.39. However, >>> based on it still not working on 2.4.39 on FreeBSD it appears to have >>> narrowed it down to two reasons: - An issue with the packaging under >>> FreeBSD >>> - The functionality is specific to Zimbra >>> >>> The next step in the process to narrow this down is to do a manual >>> compilation on CentOS, including the SHA2 overlay. If this works, then it >>> would confirm it to be a FreeBSD issue, and if it doesn't work that would >>> strongly suggest that Zimbra has modified something. >> >> You could simply grab the LTB project builds. I'm pretty sure they build >> out the contrib modules. >> >> In any case, I already noted that Zimbra doesn't patch anything in OpenLDAP >> that would affect this area. >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Platform Architect >> Zimbra, Inc. >> _______________________________ >> >> Zimbra :: the leader in open source messaging and collaboration
Per the FreeBSD bugtracker, this was a bug in FreeBSD10 that has since been fixed.