Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by hyc@symas.com
Quanah Gibson-Mount wrote:
> --On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote:
>
>>> It is a problem that a slappasswd user must have read privilage
>>> on slapd.conf (or slapd.d) by this patch...
>>
>> slappasswd is an administrative command; if you don't have administrator
>> access already you have no business running it.
>
> What in any way makes it administrative? You simply give it a password to
> convert into whatever scheme for you. Where is the administrative
> requirement? Why shouldn't X user with some particular permissions into
> the database, but not the configuration, be able to run it to generate a
> value?
slap*(8) are all administrative tools, by definition. You should already know
that.
Why should X user ever need to run this tool to generate a value? slapd
generates users' password values automatically. The only time anyone ever
*needs* this tool is for setting a rootpw in the slapd config. That's the only
reason this tool exists and it is the only valid use case.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by michael@stroeder.com
Kurt(a)OpenLDAP.org wrote:
> I'd argue that slappassword shouldn't read the configuration and hence not
> support 'contributed' hash mechanisms.
Which means if SHA-2 stays in a separate overlay contrib/ there won't be
practically usable SHA-2 support in OpenLDAP. I consider it falling behind
other LDAP server implementations.
> But if you are going to make slappassword read the configuration, then it
> needs to be restricted to only users who have read access to the
> configuration.
Yes.
> I have no real opinion about whether SHA-2 should or shouldn't be in the
> core set of hashes... but personally I rather push folks towards SCRAM
> compatible hashes than the same poor usages of newer hash algorithms.
I concur that SCRAM would be the best choice.
But IMO adding SHA-2 support to the core does not hold anybody back from
developing/deploying SCRAM. In reality getting completely rid of simple bind
in favour of SASL bind no matter which SASL mech is nothing done so easily
with all the applications out in the wild.
And last time I checked SCRAM support in cyrus-sasl required clear-text
password in userPassword. So this is outside the OpenLDAP project, isn't it?
Ciao, Michael.
11 years, 4 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by Kurt@OpenLDAP.org
I'd argue that slappassword shouldn't read the configuration and hence not support 'contributed' hash mechanisms.
But if you are going to make slappassword read the configuration, then it needs to be restricted to only users who have read access to the configuration.
I have no real opinion about whether SHA-2 should or shouldn't be in the core set of hashes... but personally I rather push folks towards SCRAM compatible hashes than the same poor usages of newer hash algorithms.
-- Kurt
11 years, 4 months
(ITS#7282) Invalid Regex in Documentation
by alacer.cogitatus@gmail.com
Full_Name: Kyle Smith
Version: 2.4.30
OS: Ubuntu Server 10.04.02LTS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (192.245.87.13)
In section 8.2.5 of the OpenLDAP Documentation (Access Control Examples), the
example regex to allow an IP address is given by:
by peername.regex=IP:10\..+ read
I think it should read:
by peername.regex=IP=10\..+ read
11 years, 4 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms010700080803040702000401
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
quanah(a)zimbra.com wrote:
> --On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote:
>=20
>>> It is a problem that a slappasswd user must have read privilage
>>> on slapd.conf (or slapd.d) by this patch...
>>
>> slappasswd is an administrative command; if you don't have administrat=
or
>> access already you have no business running it.
>=20
> What in any way makes it administrative? You simply give it a password=
to=20
> convert into whatever scheme for you. Where is the administrative=20
> requirement? Why shouldn't X user with some particular permissions int=
o=20
> the database, but not the configuration, be able to run it to generate =
a=20
> value?
I concur with Quanah: I know many operational procedures where slappasswd=
is
just used to generate pre-hashed userPassword values. This usage is suppo=
rted
by DESCRIPTION in slappasswd(8). I also don't see a requirement for
administrative access to slapd's config at all.
Doesn't this ask for fully integrating SHA-2 password support into
libraries/liblutil/passwd.c?
Ciao, Michael.
--------------ms010700080803040702000401
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC
BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx
MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj
MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd
NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV
hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/
0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ
NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH
AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy
IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl
cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB
BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq
hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj
/E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd
dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH
SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ
AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63
TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT
QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ
R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv
n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy
D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB
gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx
IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1
cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUyOTE2NDYzOFowIwYJKoZIhvcNAQkEMRYE
FE1pvmOeFeNxFwX+H8VmVvMDK6OWMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG
CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq
hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc
BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n
IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG
CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6
Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh
MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE
ggEAG+NichvhG0i4Tb18NExkCpBoGmzkaf3J/WSiwU5y01mEOEct8YvtixC3EdVlpVfKYOLb
pKDGt2W6yNZySAEkQqZlWffWaYou3aJF5t/DjykuqpvBR0wNO1casY8OGAHMX1g0RicGIS12
30Ulk8vJTYQy3hMovlfztgHaEE7yI8Acem9ccJAuFoXbTCyDC47HcDf/pL4en6WGyMkyruhR
0vULseO+OUQ+LY+ic4C8qPXAtSnDrCPmUaOcns7Nz2cuZFgPe7dVt4NcXpsKXihy+PIag+Tz
iiskIJ7u4iQaPFW2QBDZrmpa8UPCaWOy6KjtDDF8TNj5LwewODIJZ03kMAAAAAAAAA==
--------------ms010700080803040702000401--
11 years, 4 months
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
by quanah@zimbra.com
--On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote:
>> It is a problem that a slappasswd user must have read privilage
>> on slapd.conf (or slapd.d) by this patch...
>
> slappasswd is an administrative command; if you don't have administrator
> access already you have no business running it.
What in any way makes it administrative? You simply give it a password to
convert into whatever scheme for you. Where is the administrative
requirement? Why shouldn't X user with some particular permissions into
the database, but not the configuration, be able to run it to generate a
value?
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 4 months