[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Antw: Passwords, Hashing, and Binds
- To: Onno van der Straaten <onno.van.der.straaten@gmail.com>, openldap-technical@openldap.org, openldap-devel@openldap.org
- Subject: Re: Antw: Passwords, Hashing, and Binds
- From: Quanah Gibson-Mount <quanah@zimbra.com>
- Date: Tue, 25 Nov 2014 15:20:41 -0800
- Content-disposition: inline
- Dkim-filter: OpenDKIM Filter v2.9.2 edge01.zimbra.com 1FA1044264
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1416957645; bh=a3V64R5hFSJqaxqA3tkr7AQla0t7J9WL2RUA2/Q4xNY=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=B+SqsdM2hazlSQIzR5dfQiAnxXbnXzrCvb7xeA8H/RANmrXrg0CO91Y0ZHSsS04JU HWOOeDnICyZvx4Iq/FYte6+ayi0myhFSNT7fnSGxbsx43qaWlV/BYl6v2CTn+vce5P KrUXMEG3fTzuDk+oRpO+mq82x81KGSuuTRjs+yi8=
--On Monday, November 24, 2014 12:22 PM +0100 Onno van der Straaten
<onno.van.der.straaten@gmail.com> wrote:
sudo make install
I'd generally advise you really read over the options to configure, and
build a better set of binaries. For example, leave out back-bdb/hdb, and
enable building things modularly.
My options are:
--with-cyrus-sasl \
--with-tls=openssl \
--enable-dynamic \
--enable-slapd \
--enable-modules \
--enable-backends=mod \
--disable-shell \
--disable-sql \
--disable-bdb \
--disable-hdb \
--disable-ndb \
--enable-overlays=mod \
--enable-debug \
--enable-spasswd \
--enable-crypt; \
Make the sha2 module
cd ~/openldap/contrib/slapd-modules/passwd/sha2
sed -i.bak s/-Wall -g/-Wall -g fPIC/g Makefile
make
I do:
(cd openldap-$(LDAP_VERSION)/contrib/slapd-modules/passwd/sha2; \
$(MAKE) prefix=/usr/local LIBS="-L$(LDAP_LIB_DIR) -lldap_r -llber"
install STRIP=""; \
)
And then it installs it for me in the same location. Just make sure you
use the same prefix here.
This results in a number of files pw-sha2.la sha2.lo sha2.o
slapd-sha2.lo slapd-sha2.o
The question now is how to install this on my target OpenLDAP server. I
put the files in /usr/lib64/openldap en dan tried to add the following
dn: cn=module{0},cn=config
changetype: modify
replace: olcModuleLoad
olcModuleLoad: slapd-sha2.la
I'm not sure that replacing olcModuleLoad is correct. If you already have
values in there, you probably want to keep them. I generally *add* an
additional values. In any case, your value for the attribute is incorrect.
The .la file is named, as in your email, pw-sha2.la, not slapd-sha2.la .
If you want to add it as an additional module to load, then you would do
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2.la
My loaded modules are:
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /opt/zimbra/openldap/sbin/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}back_monitor.la
olcModuleLoad: {2}syncprov.la
olcModuleLoad: {3}accesslog.la
olcModuleLoad: {4}dynlist.la
olcModuleLoad: {5}unique.la
olcModuleLoad: {6}noopsrch.la
olcModuleLoad: {7}pw-sha2.la
for example.
now, if you want to make something like say, SHA512 the default, then you
need to modify the frontend config db:
dn: olcDatabase={-1},cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA512}
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration