1

Since pbkdf2 (Password-Based Key Derivation Function 2) is a more secure hash function, so I wonder if current openldap implementation support pbkdf2 (pbkdf2_sha256 for example)?

I have found some information on google about pbkdf2 support in openldap, but I do not sure which openldap version it applies or I do not do it the right way:

I have build a openldap server with version 2.4.28 on ubuntu 12.04 and use python lib to generate a PBKDF2-SHA256 hashed password. Then I put this PBKDF2-SHA256 password into a new ldap user's userPassword field as follow:

userPassword: '{PBKDF2-SHA256}10000$LBwTpUPGqxdH$8pDqhAruY94IhhuCZLost471pGImy//wH0pS25LO/YI='

This did not work. No error reported in ldap log but still can not login with the original plain-text password.

I would greatly appreciate it if someone could kindly give me some comment or direction!!

user1817188
  • 183
  • 1
  • 8

2 Answers2

5

Currently, OpenLDAP PBKDF2 module only support PBKDF2-SHA1. The schema name is {PBKDF2}. Probably, it have compatibility with Python Passlib. I have roadmap for PBKDF2-SHA256 and PBKDF2-SHA512. but not implemented yet.

EDIT: Now supported PBKDF2-SHA256 and PBKDF2-SHA512. https://github.com/hamano/openldap-pbkdf2

Tsukasa Hamano
  • 51
  • 2
2

Just to make sure, could please check the following:

  • Did you include the directives moduleload pw-pbkdf2.so and password-hash {PBKDF2} in your slapd.conf?

  • Did the module load correctly according to your logfiles?

  • Can you generate pbkdf2-hashed password by entering slappasswd

  • Do you get any sort of entries in your logfile regarding the faild authentication attempt?

far4d
  • 21
  • 1
  • 1
    you may add `loglevel config conn stats` to your `slapd.conf` to ease debugging the problem – far4d Jan 23 '14 at 08:48