openldap-bugs May 2012

openldap-bugs@openldap.org

23 participants
78 discussions

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by hyc＠symas.com 29 May '12

29 May '12

Quanah Gibson-Mount wrote: > --On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote: > >>> It is a problem that a slappasswd user must have read privilage >>> on slapd.conf (or slapd.d) by this patch... >> >> slappasswd is an administrative command; if you don't have administrator >> access already you have no business running it. > > What in any way makes it administrative? You simply give it a password to > convert into whatever scheme for you. Where is the administrative > requirement? Why shouldn't X user with some particular permissions into > the database, but not the configuration, be able to run it to generate a > value? slap*(8) are all administrative tools, by definition. You should already know that. Why should X user ever need to run this tool to generate a value? slapd generates users' password values automatically. The only time anyone ever *needs* this tool is for setting a rootpw in the slapd config. That's the only reason this tool exists and it is the only valid use case. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by hyc＠symas.com 29 May '12

29 May '12

michael(a)stroeder.com wrote: > Doesn't this ask for fully integrating SHA-2 password support into > libraries/liblutil/passwd.c? Clearly you haven't thought this through. No, because that doesn't solve the problem of how to use other contrib passwd modules. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by michael＠stroeder.com 29 May '12

29 May '12

Kurt(a)OpenLDAP.org wrote: > I'd argue that slappassword shouldn't read the configuration and hence not > support 'contributed' hash mechanisms. Which means if SHA-2 stays in a separate overlay contrib/ there won't be practically usable SHA-2 support in OpenLDAP. I consider it falling behind other LDAP server implementations. > But if you are going to make slappassword read the configuration, then it > needs to be restricted to only users who have read access to the > configuration. Yes. > I have no real opinion about whether SHA-2 should or shouldn't be in the > core set of hashes... but personally I rather push folks towards SCRAM > compatible hashes than the same poor usages of newer hash algorithms. I concur that SCRAM would be the best choice. But IMO adding SHA-2 support to the core does not hold anybody back from developing/deploying SCRAM. In reality getting completely rid of simple bind in favour of SASL bind no matter which SASL mech is nothing done so easily with all the applications out in the wild. And last time I checked SCRAM support in cyrus-sasl required clear-text password in userPassword. So this is outside the OpenLDAP project, isn't it? Ciao, Michael.

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by Kurt＠OpenLDAP.org 29 May '12

29 May '12

I'd argue that slappassword shouldn't read the configuration and hence not support 'contributed' hash mechanisms. But if you are going to make slappassword read the configuration, then it needs to be restricted to only users who have read access to the configuration. I have no real opinion about whether SHA-2 should or shouldn't be in the core set of hashes... but personally I rather push folks towards SCRAM compatible hashes than the same poor usages of newer hash algorithms. -- Kurt

1 0

(ITS#7282) Invalid Regex in Documentation
by alacer.cogitatus＠gmail.com 29 May '12

29 May '12

Full_Name: Kyle Smith Version: 2.4.30 OS: Ubuntu Server 10.04.02LTS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (192.245.87.13) In section 8.2.5 of the OpenLDAP Documentation (Access Control Examples), the example regex to allow an IP address is given by: by peername.regex=IP:10\..+ read I think it should read: by peername.regex=IP=10\..+ read

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by michael＠stroeder.com 29 May '12

29 May '12

This is a cryptographically signed message in MIME format. --------------ms010700080803040702000401 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable quanah(a)zimbra.com wrote: > --On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote: >=20 >>> It is a problem that a slappasswd user must have read privilage >>> on slapd.conf (or slapd.d) by this patch... >> >> slappasswd is an administrative command; if you don't have administrat= or >> access already you have no business running it. >=20 > What in any way makes it administrative? You simply give it a password= to=20 > convert into whatever scheme for you. Where is the administrative=20 > requirement? Why shouldn't X user with some particular permissions int= o=20 > the database, but not the configuration, be able to run it to generate = a=20 > value? I concur with Quanah: I know many operational procedures where slappasswd= is just used to generate pre-hashed userPassword values. This usage is suppo= rted by DESCRIPTION in slappasswd(8). I also don't see a requirement for administrative access to slapd's config at all. Doesn't this ask for fully integrating SHA-2 password support into libraries/liblutil/passwd.c? Ciao, Michael. --------------ms010700080803040702000401 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUyOTE2NDYzOFowIwYJKoZIhvcNAQkEMRYE FE1pvmOeFeNxFwX+H8VmVvMDK6OWMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE ggEAG+NichvhG0i4Tb18NExkCpBoGmzkaf3J/WSiwU5y01mEOEct8YvtixC3EdVlpVfKYOLb pKDGt2W6yNZySAEkQqZlWffWaYou3aJF5t/DjykuqpvBR0wNO1casY8OGAHMX1g0RicGIS12 30Ulk8vJTYQy3hMovlfztgHaEE7yI8Acem9ccJAuFoXbTCyDC47HcDf/pL4en6WGyMkyruhR 0vULseO+OUQ+LY+ic4C8qPXAtSnDrCPmUaOcns7Nz2cuZFgPe7dVt4NcXpsKXihy+PIag+Tz iiskIJ7u4iQaPFW2QBDZrmpa8UPCaWOy6KjtDDF8TNj5LwewODIJZ03kMAAAAAAAAA== --------------ms010700080803040702000401--

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by quanah＠zimbra.com 29 May '12

29 May '12

--On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote: >> It is a problem that a slappasswd user must have read privilage >> on slapd.conf (or slapd.d) by this patch... > > slappasswd is an administrative command; if you don't have administrator > access already you have no business running it. What in any way makes it administrative? You simply give it a password to convert into whatever scheme for you. Where is the administrative requirement? Why shouldn't X user with some particular permissions into the database, but not the configuration, be able to run it to generate a value? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by hyc＠symas.com 29 May '12

29 May '12

fumiyas(a)osstech.co.jp wrote: > At Tue, 29 May 2012 05:49:52 GMT, > fumiyas@OSSTech wrote: >>> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch >> >> In patched slapd-sha2.c, "#define SLAPD_SHA2_DEBUG" must be removed. >> Sorry. > > FYI. > > [PATCH] slappasswd: Read slapd.conf to load dynamic password hash modules > https://gist.github.com/2632560 > > It is a problem that a slappasswd user must have read privilage > on slapd.conf (or slapd.d) by this patch... slappasswd is an administrative command; if you don't have administrator access already you have no business running it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas＠osstech.co.jp 29 May '12

29 May '12

At Tue, 29 May 2012 05:49:52 GMT, fumiyas@OSSTech wrote: > > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch > > In patched slapd-sha2.c, "#define SLAPD_SHA2_DEBUG" must be removed. > Sorry. FYI. [PATCH] slappasswd: Read slapd.conf to load dynamic password hash modules https://gist.github.com/2632560 It is a problem that a slappasswd user must have read privilage on slapd.conf (or slapd.d) by this patch... > > This patch adds support {SSHA256}, {SSHA384} and {SSHA512} hash schemes > > to slapd-sha2 module. > > > > This patch depends on > > ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-multithread.patch > > (http://www.openldap.org/its/index.cgi?findid=7269). -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/

1 0

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by fumiyas＠osstech.co.jp 28 May '12

28 May '12

At Thu, 24 May 2012 01:32:33 GMT, fumiyas@OSSTech wrote: > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch In patched slapd-sha2.c, "#define SLAPD_SHA2_DEBUG" must be removed. Sorry. > This patch adds support {SSHA256}, {SSHA384} and {SSHA512} hash schemes > to slapd-sha2 module. > > This patch depends on > ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-multithread.patch > (http://www.openldap.org/its/index.cgi?findid=7269). -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2012