On Thu, Apr 13, 2023 at 12:19 PM Quanah Gibson-Mount quanah@fast-mail.org wrote:
This is an annoying bit about the Debian/Ubuntu builds as they strip that information out of the binary.
I was curious about that, and Debian doesn't strip that information[1]:
ldapadd -V ldapadd: @(#) $OpenLDAP: ldapmodify 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org (LDAP library: OpenLDAP 20513)
I don't have an Ubuntu box at hand but their devel branch has the same patch[2] applied.
If I trust that the datetime on the version string is the build date time, and since they use reproducible builds, I would guess that the base version is 2.5.6, from this changelog [3].
--On Thursday, April 13, 2023 2:05 PM -0400 Braiam braiamp@gmail.com wrote:
On Thu, Apr 13, 2023 at 12:19 PM Quanah Gibson-Mount quanah@fast-mail.org wrote:
This is an annoying bit about the Debian/Ubuntu builds as they strip that information out of the binary.
I was curious about that, and Debian doesn't strip that information[1]:
Incorrect, as he clearly showed, the version information has been stripped from the SLAPD binary, which is what he provided the information from. Here's an example of a NON STRIPPED SLAPD:
./lib/slapd -VVV @(#) $OpenLDAP: slapd 2.6.4 (Feb 8 2023 17:18:31) $ openldap
Here's what he posted:
@(#) $OpenLDAP: slapd (Ubuntu) (May 12 2022 13:11:05) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org
Note that the version is in fact stripped like I stated.
If I trust that the datetime on the version string is the build date time, and since they use reproducible builds, I would guess that the base version is 2.5.6, from this changelog [3].
It's clearly 2.5.13 from what you posted ...
"ldapmodify 2.5.13+dfsg-5"
--Quanah
Hi,
On Thu, Apr 13, 2023 at 2:32 PM Braiam braiamp@gmail.com wrote:
On Thu, Apr 13, 2023 at 12:19 PM Quanah Gibson-Mount quanah@fast-mail.org wrote:
This is an annoying bit about the Debian/Ubuntu builds as they strip that information out of the binary.
I was curious about that, and Debian doesn't strip that information[1]:
ldapadd -V ldapadd: @(#) $OpenLDAP: ldapmodify 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers < pkg-openldap-devel@lists.alioth.debian.org> (LDAP library: OpenLDAP 20513)
The "greedy" strip was eventually fixed, 22.04 shows the version correctly. Ubuntu 20.04 still has the issue, but it's not worth an update just because of that. Maybe we can bundle it together with another more important update when it comes along.
Hi dear,
I was able to find out the Version. On Ubuntu 20.04 2.4.49+dfsg-2ubuntu1.9 Which is the newest avaliable through apt-tools. As Argon-2 was not installed there I launched a new testing environment on Ubuntu 22.04 with Version
/usr/sbin/slapd -VV @(#) $OpenLDAP: slapd 2.5.14+dfsg-0ubuntu0.22.04.2 (Mar 12 2023 17:11:53) $ Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
Which also is the newest version I am able to install on this Ubuntu-V. Even though it should work in theory when I try to set {ARGON2} or {PBKDF2} in olcDatabase={-1}frontend or any other cn=config with olcPasswordHash I get LDAP result code 80 - other<olcPasswordHash> no valid hashes found.
Besides that this is now a clean installation with no further configuration.
Looking forward on your reply.
Kindly Lukas
Am 13.04.2023 um 19:39 schrieb Andreas Hasenack:
Hi,
On Thu, Apr 13, 2023 at 2:32 PM Braiam braiamp@gmail.com wrote:
On Thu, Apr 13, 2023 at 12:19 PM Quanah Gibson-Mount <quanah@fast-mail.org> wrote: > This is an annoying bit about the Debian/Ubuntu builds as > they strip that information out of the binary. I was curious about that, and Debian doesn't strip that information[1]: ldapadd -V ldapadd: @(#) $OpenLDAP: ldapmodify 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> (LDAP library: OpenLDAP 20513)The "greedy" strip was eventually fixed, 22.04 shows the version correctly. Ubuntu 20.04 still has the issue, but it's not worth an update just because of that. Maybe we can bundle it together with another more important update when it comes along.
--On Thursday, April 13, 2023 9:05 PM +0000 Lukas Adrian Kron lukaskron@posteo.de wrote:
Hi dear,
I was able to find out the Version. On Ubuntu 20.04 2.4.49+dfsg-2ubuntu1.9 Which is the newest avaliable through apt-tools. As Argon-2 was not installed there I launched a new testing environment on Ubuntu 22.04 with Version
/usr/sbin/slapd -VV @(#) $OpenLDAP: slapd 2.5.14+dfsg-0ubuntu0.22.04.2 (Mar 12 2023 17:11:53) $ Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
Which also is the newest version I am able to install on this Ubuntu-V. Even though it should work in theory when I try to set {ARGON2} or {PBKDF2} in olcDatabase={-1}frontend or any other cn=config with olcPasswordHash I get LDAP result code 80 - other<olcPasswordHash> no valid hashes found.
Besides that this is now a clean installation with no further configuration.
Ubuntu builds those extensions as modules. If you haven't loaded them in your configuration, you can't use them. Please read the documentation:
Specifically the portion on "Dynamic Module Options"
I also advise reading https://www.openldap.org/software/man.cgi?query=slappw-argon2&apropos=0&sektion=5&manpath=OpenLDAP+2.5-Release&arch=default&format=html to see how to use it with command line utilities such as slappasswd.
--Quanah
Hello Quanah,
thank you for your response. I read through the documentation and I verified that in the path "/usr/lib/ldap" under olcModulePath there are Argon2 files.
argon2-2.5.so.0 argon2-2.5.so.0.1.9 argon2.la argon2.so
Further there is already a module loaded "{0}back_mdb". Sadly I always get an error when trying to add the Argon2-Module "[LDAP result code 80 - other] cannot delete olcModuleLoad"
I list the things I tried setting as a new value in olcModuleLoad
Each from the list above Each from the list above with {1} in the beginning Each from the list above with {} and {0}
I do not understand why this is happening as I am not trying to delete any module, I try to set a new value in addition to back_mdb. I checked, that this is also happening with any other module in the Path.
Many kind regards, Lukas
Am 14.04.2023 um 20:08 schrieb Quanah Gibson-Mount:
--On Thursday, April 13, 2023 9:05 PM +0000 Lukas Adrian Kron lukaskron@posteo.de wrote:
Hi dear,
I was able to find out the Version. On Ubuntu 20.04 2.4.49+dfsg-2ubuntu1.9 Which is the newest avaliable through apt-tools. As Argon-2 was not installed there I launched a new testing environment on Ubuntu 22.04 with Version
/usr/sbin/slapd -VV @(#) $OpenLDAP: slapd 2.5.14+dfsg-0ubuntu0.22.04.2 (Mar 12 2023 17:11:53) $ Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
Which also is the newest version I am able to install on this Ubuntu-V. Even though it should work in theory when I try to set {ARGON2} or {PBKDF2} in olcDatabase={-1}frontend or any other cn=config with olcPasswordHash I get LDAP result code 80 - other<olcPasswordHash> no valid hashes found.
Besides that this is now a clean installation with no further configuration.
Ubuntu builds those extensions as modules. If you haven't loaded them in your configuration, you can't use them. Please read the documentation:
Specifically the portion on "Dynamic Module Options"
I also advise reading https://www.openldap.org/software/man.cgi?query=slappw-argon2&apropos=0&sektion=5&manpath=OpenLDAP+2.5-Release&arch=default&format=html to see how to use it with command line utilities such as slappasswd.
--Quanah
--On Friday, April 14, 2023 8:54 PM +0000 Lukas Adrian Kron lukaskron@posteo.de wrote:
Hello Quanah,
thank you for your response. I read through the documentation and I verified that in the path "/usr/lib/ldap" under olcModulePath there are Argon2 files.
argon2-2.5.so.0 argon2-2.5.so.0.1.9 argon2.la argon2.so
Further there is already a module loaded "{0}back_mdb". Sadly I always get an error when trying to add the Argon2-Module "[LDAP result code 80 - other] cannot delete olcModuleLoad"
I list the things I tried setting as a new value in olcModuleLoad
Each from the list above Each from the list above with {1} in the beginning Each from the list above with {} and {0}
I do not understand why this is happening as I am not trying to delete any module, I try to set a new value in addition to back_mdb. I checked, that this is also happening with any other module in the Path.
You haven't supplied what commands you are actually running so it's impossible to help you much further. But what I would expect your general ldapmodify command to look like is:
ldapmodify ... dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: argon2.la
Once that works, then to make it the password hash to be used with ldap v3 password modify operations:
ldapmodify ... dn: olcDatabase={-1}frontend,cn=config changetype: replace replace: olcPasswordHash olcPasswordHash: {ARGON2}
Note that this would remove any other password hashes as default possibilties (You can still use passwords that use other schemes than what's built into OpenLDAP as long as the modules for them are also loaded).
--Quanah
openldap-technical@openldap.org
-
Andreas Hasenack -
Braiam -
Lukas Adrian Kron -
Quanah Gibson-Mount