To implement Argon2 Hash on OpenLDAP, you can do the following steps:
- Add Argon2 as OpenLdap hash module & allowed method
- Create/Modify userpassword with Argon2
- Verify user authentication
1 - Add Argon2 as OpenLdap hash module & allowed method
Modify LDAP config in order to load Argon2
ldapmodify -H -Y EXTERNAL ldapi:/// -f modules.ldif
with modules.ldif:
# Load Argon2 module
dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
# Adapt the olcModulePath below depending on your OS or your packaged openldap
olcModulePath: /opt/bitnami/openldap/libexec/openldap/
olcModuleLoad: argon2.so
# Tell that Argon2 is an allowed hash method
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {ARGON2}
2 - Create/Modify userpassword with Argon2
Generate a hashed password with Argon2 module
slappasswd -o module-load=argon2.so -h {ARGON2} -s "mypassword"
It should return something like : {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$G+lDOYm0ra9Gl/e/gZ+FZw$HlePGPXj2ghUZfznIvKvzgRZaEXm0/4YVWttmztakgM
Then, modify an existing user password:
ldapmodify -x -H ldapi:/// -D "cn=admin,dc=example,dc=com" -w "adminPassword" -x -f changeUserPassword.ldif
with changeUserPassword.ldif:
dn: cn=JohnDoe,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$G+lDOYm0ra9Gl/e/gZ+FZw$HlePGPXj2ghUZfznIvKvzgRZaEXm0/4YVWttmztakgM
3 - Verify user authentication
Now, verify that the user can be authenticated with his new hashed password:
ldapwhoami -x -H ldapi:/// -D "cn=JohnDoe,ou=users,dc=example,dc=com" -w "mypassword"
If ìt is ok, it should return the DN : dn:cn=JohnDoe,,ou=users,dc=example,dc=com
I hope this helps! Let me know if you have any other questions.
