Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
+1 for pw-sha2 and pw-argon2.
FWIW: slapo-noopsrch and slapo-lastbind is what I use in almost every installation.
Ciao, Michael.
Michael Ströder wrote:
On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
+1 for pw-sha2 and pw-argon2.
sha2 is already obsolete, for password purposes. I see no reason to promote it.
FWIW: slapo-noopsrch and slapo-lastbind is what I use in almost every installation.
Ciao, Michael.
On 4/22/20 8:17 PM, Gavin Henry wrote:
What's the recommended hash for UserPassword at the moment?
Tough question.
In Æ-DIR's default config I'm using non-portable settings available on mainstream Linux distros since a couple of years:
password-hash {CRYPT} password-crypt-salt-format "$6$rounds=20000$%.16s"
I'm looking forward to get a strong portable hash algorithm.
Ciao, Michael.
--On Wednesday, April 22, 2020 8:01 PM +0100 Howard Chu hyc@symas.com wrote:
Michael Ströder wrote:
On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
+1 for pw-sha2 and pw-argon2.
sha2 is already obsolete, for password purposes. I see no reason to promote it.
Ok. I would note that the argon2 module adds a dependency on a 3rd party library, so we'd need to add detection for it?
That's one reason to keep pw-sha2. It's still better than the default SSHA.
Or perhaps to get bcrypt added, if we can ever get a proper response from the author.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/22/20 8:57 PM, Quanah Gibson-Mount wrote:
Ok. I would note that the argon2 module adds a dependency on a 3rd party library, so we'd need to add detection for it?
If an automatic check is too much work I could live with a simple configure option --enable-argon2 with a textual comment "needs libsodium". The default could be --disable-argon2. So every downstream package can easily switch it on.
Ciao, Michael.
On 4/22/20 8:01 PM, Howard Chu wrote:
Michael Ströder wrote:
On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
+1 for pw-sha2 and pw-argon2.
sha2 is already obsolete, for password purposes. I see no reason to promote it.
Yes, SHA-2 is really weak. But moving pw-sha2 into mainline is *not* promoting it.
I see some use when migrating from other LDAP servers.
Ciao, Michael.
On Wed, Apr 22, 2020 at 07:41:40PM +0200, Michael Ströder wrote:
On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
+1 for pw-sha2 and pw-argon2.
FWIW: slapo-noopsrch and slapo-lastbind is what I use in almost every installation.
Might want to improve the core lastbind support to make that overlay obsolete instead?
Le 22/04/2020 à 18:15, Quanah Gibson-Mount a écrit :
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
Maybe smbk5pwd module and autogroup overlay?
For autogroup overlay, it depends on the new features of dynlist overlay (compatibility with memberOf for example)
On 4/23/20 2:47 PM, Clément OUDOT wrote:
Le 22/04/2020 à 18:15, Quanah Gibson-Mount a écrit :
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
Maybe smbk5pwd module and autogroup overlay?
Is smbk5pwd really useful today?
I'm asking although I made use of it in former deployments.
1. Kerberos functionality does not work with MIT Kerberos.
2. AFAICS NTLM password hashes (WinNT domain) will stop working with newer Windows versions. At least that's what I understood on the Samba mailing lists. Also storing NT password hashes is a security nightmare.
Ciao, Michael.
Le 23/04/2020 à 15:44, Michael Ströder a écrit :
On 4/23/20 2:47 PM, Clément OUDOT wrote:
Le 22/04/2020 à 18:15, Quanah Gibson-Mount a écrit :
Are there any contrib modules that we should consider promoting to mainline for the 2.5 series? I.e., sha2, argon2 seem like potential options.
Maybe smbk5pwd module and autogroup overlay?
Is smbk5pwd really useful today?
I'm asking although I made use of it in former deployments.
Kerberos functionality does not work with MIT Kerberos.
AFAICS NTLM password hashes (WinNT domain) will stop working with
newer Windows versions. At least that's what I understood on the Samba mailing lists. Also storing NT password hashes is a security nightmare.
It can be useful to maintain compatibility with old systems.
-
Clément OUDOT -
Gavin Henry -
Howard Chu -
Michael Ströder -
Ondřej Kuzník -
Quanah Gibson-Mount