openldap-bugs May 2012

openldap-bugs@openldap.org

23 participants
78 discussions

Re: (ITS#7284) [PATCH] slappasswd: Add support loading a dynamically loadable module
by hyc＠symas.com 31 May '12

31 May '12

fumiyas(a)osstech.co.jp wrote: > Full_Name: SATOH Fumiyasu > Version: master, 2.4.31 > OS: > URL: https://gist.github.com/2841031 > Submission from: (NULL) (220.100.28.128) > > > This patch is for slappasswd to add "-o module-path=<pathspec>" and > "-o module-load=<filename>" options to load a dynamically loadable > password hash module (e.g., slapd-sha2). > > Thanks, added to master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas＠osstech.co.jp 31 May '12

31 May '12

At Thu, 31 May 2012 08:43:30 +0200, Michael Ströder wrote: > I'm trying to build this module (make distclean before) from recent RE24 git > 0cfc487a70f2de40d9827b67949569653ee0e28a but it fails: > > $ make > cc -I../../../../include -Wall -g -c slapd-sha2.c > cc -I../../../../include -Wall -g -c sha2.c > cc -I../../../../include -shared -Wall -g slapd-sha2.o sha2.o -o slapd-sha2.so > /usr/lib64/gcc/x86_64-suse-linux/4.5/../../../../x86_64-suse-linux/bin/ld: > slapd-sha2.o: relocation R_X86_64_32 against `.text' can not be used when > making a shared object; recompile with -fPIC See the above message. :-) > slapd-sha2.o: could not read symbols: Bad value > collect2: ld returned 1 exit status > make: *** [slapd-sha2.so] Error 1 > > Do I have to tweak the Makefile? Add -fPIC to $CCFLAGS in Makefile if you are using GCC. -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by michael＠stroeder.com 30 May '12

30 May '12

This is a cryptographically signed message in MIME format. --------------ms060305000509010900080201 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I'm trying to build this module (make distclean before) from recent RE24 = git 0cfc487a70f2de40d9827b67949569653ee0e28a but it fails: $ make cc -I../../../../include -Wall -g -c slapd-sha2.c cc -I../../../../include -Wall -g -c sha2.c cc -I../../../../include -shared -Wall -g slapd-sha2.o sha2.o -o slapd-sh= a2.so /usr/lib64/gcc/x86_64-suse-linux/4.5/../../../../x86_64-suse-linux/bin/ld= : slapd-sha2.o: relocation R_X86_64_32 against `.text' can not be used when= making a shared object; recompile with -fPIC slapd-sha2.o: could not read symbols: Bad value collect2: ld returned 1 exit status make: *** [slapd-sha2.so] Error 1 Do I have to tweak the Makefile? Ciao, Michael. --------------ms060305000509010900080201 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUzMTA2NDMzMFowIwYJKoZIhvcNAQkEMRYE FC85H17zMN2jlPjKKQ1rj5hqS8WpMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE ggEAXbWKhps9kQkfGtZFzf7H79BV32CGHmWfLnjgZgGMaEyhcig7b3PDVVIc63qnRL5Q7chG AJBM8L2KwPIkfk+mlso3F9cZA2oDgmSttIVYv/2IZmKkH0Ed9K4+4LhUms8lxdJGdpaj2/dS iRFjPumGR5lHopiVa5s2YEfkry75T93hwawU6Lx5ZQ0wouuleysRAygsFaMO5r4ugp4nIX2Y 1Uqe+uyLl5fKwxSnKmfqZ24KpGGuqgrezurZDnFdAJbDF/4Gwe/EpViG28tDXx0zEMm+BejJ 4jTd7VjpUgj85QmoHTttzervjjuz5XVEf3SRdTmImTQrDgJP55zGZdKa6QAAAAAAAA== --------------ms060305000509010900080201--

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas＠osstech.co.jp 30 May '12

30 May '12

At Wed, 30 May 2012 17:11:23 GMT, Kurt(a)OpenLDAP.org wrote: > > I wish the following command-line option for slappasswd to > > load dynamically loadable password hash modules: > > > > $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}' > > ... > > > > $ slappasswd -o module-path=/path/to/lib/openldap \ > > -o module-load=slapd-sha2.la -h '{SSHA512}' > > This seems more appropriate approach to me than reading slapd.conf files. Users who use a particular module frequently can use an alias to reduce the typing overhead. I've created a patch. http://www.openldap.org/its/index.cgi?findid=7284 -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/

1 0

(ITS#7284) [PATCH] slappasswd: Add support loading a dynamically loadable module
by fumiyas＠osstech.co.jp 30 May '12

30 May '12

Full_Name: SATOH Fumiyasu Version: master, 2.4.31 OS: URL: https://gist.github.com/2841031 Submission from: (NULL) (220.100.28.128) This patch is for slappasswd to add "-o module-path=<pathspec>" and "-o module-load=<filename>" options to load a dynamically loadable password hash module (e.g., slapd-sha2).

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by Kurt＠OpenLDAP.org 30 May '12

30 May '12

On May 30, 2012, at 10:06 AM, fumiyas(a)osstech.co.jp wrote: > I wish the following command-line option for slappasswd to > load dynamically loadable password hash modules: > > $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}' > ... > > $ slappasswd -o module-path=/path/to/lib/openldap \ > -o module-load=slapd-sha2.la -h '{SSHA512}' This seems more appropriate approach to me than reading slapd.conf files. Users who use a particular module frequently can use an alias to reduce the typing overhead. -- Kurt

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas＠osstech.co.jp 30 May '12

30 May '12

Hi, I wish the following command-line option for slappasswd to load dynamically loadable password hash modules: $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}' ... $ slappasswd -o module-path=/path/to/lib/openldap \ -o module-load=slapd-sha2.la -h '{SSHA512}' ... At Wed, 30 May 2012 13:45:48 GMT, Kurt(a)OpenLDAP.org wrote: > While if I needed some scheme only in contrib I might resort to other means to generate the hash (such as a little perl), I don't object to slappasswd, when requested by option, reading the configuration, loading the modules, and generating the hash. I would only object if slappasswd did this by default, as that would cause me to have to use other means even for core schemes. I've revised the patch: https://gist.github.com/2632560 With this patch: $ slappasswd Same as the original behavior (do not read any config) $ slappasswd -f /path/to/slapd.conf Read the specified slapd.conf $ slappasswd -f - Read the default slapd.conf -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/

1 0

Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
by hyc＠symas.com 30 May '12

30 May '12

W. Trevor King wrote: > On Wed, May 30, 2012 at 06:14:38AM -0700, Howard Chu wrote: >> Ideally the command line option should have been able to set this >> explicitly to both true and false, to allow complete control over >> the option. But I'm not particularly concerned either way. Since the >> option currently can only be set to true, it would be sufficient to >> just check for nocanon != 0 before calling ldap_set_option. > > My personal goal here is to not need to bother with command line > options, so I'm fine with this less general solution. Another patch > (only set the option with an explicit `-N`) attached. > > --- > The attached patch file is derived from OpenLDAP Software. All of the > modifications to OpenLDAP Software represented in the following > patch(es) were developed by W. Trevor King wking(a)tremily.us. I have > not assigned rights and/or interest in this work to any party. > > I, W. Trevor King, hereby place the following modifications to > OpenLDAP Software (and only these modifications) into the public > domain. Hence, these modifications may be freely used and/or > redistributed for any purpose with or without attribution and/or other > notice. > Thanks, added to master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
by wking＠tremily.us 30 May '12

30 May '12

--oLBj+sq0vYjzfsbl Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM" Content-Disposition: inline --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 30, 2012 at 06:14:38AM -0700, Howard Chu wrote: > Ideally the command line option should have been able to set this > explicitly to both true and false, to allow complete control over > the option. But I'm not particularly concerned either way. Since the > option currently can only be set to true, it would be sufficient to > just check for nocanon !=3D 0 before calling ldap_set_option. My personal goal here is to not need to bother with command line options, so I'm fine with this less general solution. Another patch (only set the option with an explicit `-N`) attached. --- The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by W. Trevor King wking(a)tremily.us. I have not assigned rights and/or interest in this work to any party. I, W. Trevor King, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. --=20 This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="tool-nocanon.patch" Content-Transfer-Encoding: quoted-printable diff --git a/clients/tools/common.c b/clients/tools/common.c index 9c98b62..e928fb2 100644 --- a/clients/tools/common.c +++ b/clients/tools/common.c @@ -1410,12 +1410,13 @@ dnssrv_free:; =20 #ifdef HAVE_CYRUS_SASL /* canon */ - if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON, - nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) !=3D LDAP_OPT_SUCCESS ) - { - fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n", - nocanon ? "on" : "off" ); - tool_exit( ld, EXIT_FAILURE ); + if( nocanon ) { + if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON, + LDAP_OPT_ON ) !=3D LDAP_OPT_SUCCESS ) + { + fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON on\n" ); + tool_exit( ld, EXIT_FAILURE ); + } } #endif if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol ) --yrj/dFKFPuw6o+aM-- --oLBj+sq0vYjzfsbl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBAgAGBQJPxjviAAoJEEUbTsx0l5OM4+AQALnDBr4YL5g8BIgsU7Fvea1O 3cCh+arj8S3mFsltqKnvOZTRqnPp9yafmCKzLnb8DP3xstXFwF3A/J1o8+Ptzi9d v5EbYd/+jUp1kQBAQHclS87OwjijgHuZtRZxcJXbh4CrV7T/FG6byiVvpFpxR06O ug306vFhqhBk1FpbUJU+R0u7gzUaTjhW4O/RE9kPEaqnkSSfd+NuCF1L8ZHzmAOc xA8gJgUVP5GOgfrZeoQjuyO+mGOVpHPjcybs1VThyhbLWwPKb/RExdTa/0x+A/p8 hVlM9C9SGr1UC3QQaboSON0rhP4UjHc/HCA53Ijgw+vCr0KiaUDjaiG83ydj0EfY Q71IF/PY286lUCLorw1ZJqtAP1dRbpWCk+45A4ZoMR6zWgUUX1L27v7gD5pUQZWW J85OU8D1OFuH1tYNXp+6VgiQpO5ofwQTaQo2puVOjwGpgjCjl1g69kWLjle9JvEv cRZ9wuT3rfVc9Ujv/Tqirw6cy+1QJopKjRlHcV1RX6j34RFBfc9qwcM/3BC1sMGD 2IDRte87sUAq+i3bM43iFujTI9AwUd3pAP/9x2D7tnrr4t5ixV+MBtaNmWtblBos XHeReDSakxipIfBxJtQTSTeKrb7VPS4d7RpUEg5etXLIxVaJyVpSTl0G3b8tWwC0 yZySTz5NthLULma8573R =lyIG -----END PGP SIGNATURE----- --oLBj+sq0vYjzfsbl--

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by Kurt＠OpenLDAP.org 30 May '12

30 May '12

On May 29, 2012, at 1:38 PM, michael(a)stroeder.com wrote: > Still you did not answer why SHA-1 is in and SHA-2 is out. Well, the general rule is simply all new hash schemes should go in contrib first. What you ask is for an exception to this general rule for SHA-2. I don't see the arguments for the exception being all that strong. Arguing it should be "in" because SHA-1 is "in" is a really poor argument. SHA-1 is "in" because it was grandfathered in. SHA-2, like any new hash scheme, is "out" because of the current practice to put new schemes in contrib. It's as simple as that, I think. I do note that there's many issues bring hashes into core. One key one is that core schemes ought to work with minimal 3rd party libraries, and that means without OpenSSL. So bringing these schemes also means, if we hold to this, bring in a SHA2 implementation into core... and that's gets, well, more involved. And that's one of reasons we have the core/contrib split. Anyways, I personally think no exception should be granted, these schemes should go into contrib like any other new hash scheme would. I've thought a bit about whether slappasswd should or should not load modules. I stand against slapppasswd reading slapd configuration by default. I would not object to reading slapd configuration when specifically requested by the user (by a command line argument). I generally run slappasswd (for setup purposes) as a user which has no access to slapd configuration. This not only for convenience, but for security reasons (limit programs which can read the configuration, as the configuration contains sensitive information). While if I needed some scheme only in contrib I might resort to other means to generate the hash (such as a little perl), I don't object to slappasswd, when requested by option, reading the configuration, loading the modules, and generating the hash. I would only object if slappasswd did this by default, as that would cause me to have to use other means even for core schemes. -- Kurt

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2012