1

I have an OpenLDAP LDAP server on Debian 9 (through the slapd package, v2.4.44). We use crypt for password authentication. Currently the scheme is SHA512: $5$....
The setup is pretty much as described in this question: How to use SHA-256 hashed (and salted) passwords from OpenLDAP in pam_ldap? (and see https://en.wikipedia.org/wiki/Crypt_(C))

I was thinking I would try to upgrade from SHA512 to bcrypt (blowfish hashes, $2y$...) since they are much harder to crack.

The beauty about the crypt back-end is the scheme is saved in the password itself. So to test bcrypt I can just log into my LDAP browser and change my own password to {CRYPT}$2y$10$...$, using an online tool to produce the hash.

However, if I now try to login with that account, it says my credentials are invalid.

For the record, with the process described I can successfully change the hash to other types and still login. It seems that bcrypt specifically is not recognized, but I expect the option to be there.

So, what else do I need to do to let OpenLDAP work with bcrypt?

Roberto
  • 193
  • 1
  • 9

2 Answers2

1

I got it to work. It seems the shipped version of libcrypt simply does not support bcrypt.

Following this blog from 2019, I downloaded and build an extension to libcrypt that does include bcrypt (and is backwards compatible)

I'll copy the steps in case the blog disappears:

  • Clone or download the libxcrypt library: https://github.com/besser82/libxcrypt (I got version 4.4.3)
  • Build the source with:
    $ ./bootstrap && ./configure && make
    • You might require the packages autoconf, automake, libtool and pkg-config (see the repo Readme for further instructions)
  • Install the freshly compiled libcrypt:
    $ cp ./.libs/libcrypt.so.1.1.0 /lib/x86_64-linux-gnu
  • Backup the old libcrypt:
    $ cd /lib/x86_64-linux-gnu && cp libcrypt.so.1 libcrypt.so.1.0.0
  • And now replace libcrypt with a link to the new version:
    $ rm libcrypt.so.1 && ln -s libcrypt.so.1.1.0 libcrypt.so.1

Warning: With libcrypt missing or corrupt, your system cannot perform any authentications! Including logins and sudo ... commands. So make sure to replace the file in one go and be prepared for a complete lock-out

With these changes {CRYPT}$2y$... hashes are accepted!
I use the PHP crypt() function to create new password hashes.

Roberto
  • 193
  • 1
  • 9
  • Just noticed that on the Wikipedia page it's mentioned that on Linux `libcrypt` does not support bcrypt: https://en.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems, so I could have seen this coming. Maybe on Debian 10 it's supported out of the box. – Roberto Mar 22 '21 at 18:53
1

There is an unofficial bcrypt module for OpenLDAP at https://github.com/wclarie/openldap-bcrypt/

However I would strongly advise instead using an OpenLDAP build that includes support for Argon2 password hashes.

Quanah Gibson-Mount
  • 56
  • 2