How do you set password-hash for OpenLDAP?
I have the following version on Ubuntu 12.04:
OpenLDAP: slapd (Sep 19 2013 22:49:31) $
buildd@batsu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd
OpenLDAP now offers SSHA as the default hash. I want to use a different hash. Yet, old tutorials are based on editing /etc/ldap/slapd.conf
which is gone in newer version of OpenLDAP. Which file should I change?
Okay. I figured this out with helps from IRC and reading manpage.
Assuming you don't want to re-create anything but adding password-hash into existing LDAP backend, and you are running Ubuntu (this is tested on Ubuntu machine only, but the method should be OS-agnostic):
We will be using ldapmodify
to add, modify and remove entries.
Step 1: Create test.conf
We will create a file called test.conf
and add the followings:
dn: olcDatabase={-1}frontend,cn=config
add: olcPasswordHash
olcPasswordHash: {CRYPT}
The dn
is different if you have a different database. I started out knowing nothing where to place, so I simulated:
sudo su # do this as root
cd /etc/ldap/
mkdir test.d
slaptest -f test.conf -F test.d
The last command will convert existing test.conf (my name for the famous old slapd.conf) to the new cn=config
format.
If you tree
the test.d
directory, and if you read each of the ldif files, you will find exactly the file you want to modify. In my case (possibly for all Ubunut users out there), it would be olcDatabase={-1}frontend.ldif
.
The other thing is cn=config
. This is because that ldif file exists under cn=config
directory.
This is a good way to find out where the attribute supposed to belong to.
Step 2: Run ldapmodify
root@test32giab:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f test.conf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
If you now check the ldif file, it should have olcPasswordHash
attribute.
If you want to specify the format of the hash, you can do this. Assuming you are following the previous two steps, you either comment out everything or start with a new file. The file needs to contain the following lines:
dn: cn=config
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $5$rounds=8000$%.16s
Run this using the same ldapmodify
command. Now LDAP account will be hashed using SHA-256 ($6$
is SHA-512) plus 16-char long salt and hashed 8000 times.
The dn
entry is cn=config
because this value (based on my simulation using step 1) is in cn=config.ldif
file.
To learn about the format, check http://www.openldap.org/lists/openldap-technical/201305/msg00002.html
If you are experimenting with different format, you can try using replace
method. So the file would look like this.
dn: cn=config
replace: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $5$%.16s
Now I removed 8000 time iteration. I think by default the SHA5-256-CRYPT is hashed 5000 times.
You can read more about this by doing man ldapmodify
and scrolldown to near the bottom of the man page.