Hello all,
I compiled pw-argon2 for OpenLDAP 2.4.44 (running on CentOS 7) and configured the directory to use the {ARGON2} password scheme. Everything works fine, only it seems the parallelism remains 1 whatever parameter I give when I load the module. Memory usage and number of iterations do follow the values I give at module load.
Here's cn=module,cn=config:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}ppolicy olcModuleLoad: {1}syncprov olcModuleLoad: {2}accesslog olcModuleLoad: {3}pw-argon2 m=4096 t=8 p=8
And here's (the beginning of) a password which has been changed using ldappasswd (base64 decoded value obtained with ldapsearch): {ARGON2}$argon2id$v=19$m=4096,t=8,p=1$7KxBUtls1NNPDK4Q4f+.......
What am I missing?
I don't know if this is relevant, libsodium version is 1.0.18 and I compiled pw-argon2 using the libraries provided by openldap-2.4.44-21.el7_6.src.rpm. Let me know if I need to provide other configuration elements.
Two more points: - the pw-argon2 man page (and README file of the module) examples seem to be obtained using argon2i, while the module uses argon2id; - what salt length is used?
Thanks for your help, best regards,
Manuela
On Sat, Jun 06, 2020 at 08:07:57PM +0000, Manuela Mandache wrote:
Everything works fine, only it seems the parallelism remains 1 whatever parameter I give when I load the module.
The crypto_pwhash API doesn't offer configuration of that parameter, so it's ignored when built against libsodium.
pw-argon2 calls the crypto_pwhash_str_alg function, defined here: https://github.com/jedisct1/libsodium/blob/1.0.18/src/libsodium/include/sodi...
Internally libsodium uses a hard-coded value of 1 for the parallelism: https://github.com/jedisct1/libsodium/blob/1.0.18/src/libsodium/crypto_pwhas...
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, 7 June 2020 00:32, Ryan Tandy ryan@nardis.ca wrote:
On Sat, Jun 06, 2020 at 08:07:57PM +0000, Manuela Mandache wrote:
Everything works fine, only it seems the parallelism remains 1 whatever parameter I give when I load the module.
The crypto_pwhash API doesn't offer configuration of that parameter, so it's ignored when built against libsodium.
pw-argon2 calls the crypto_pwhash_str_alg function, defined here: https://github.com/jedisct1/libsodium/blob/1.0.18/src/libsodium/include/sodi...
Internally libsodium uses a hard-coded value of 1 for the parallelism: https://github.com/jedisct1/libsodium/blob/1.0.18/src/libsodium/crypto_pwhas...
Hi Ryan,
Thank you for your answer. So I've built against libargon2, after changing the algorithm to argon2id in pw-argon2.c, and now everything is perfect.
May I suggest some changes in the man page of the module? I am willing to contribute, but I've never done this. If you welcome the idea, please let me know how should I proceed to it.
Best regards,
Manuela
On Sun, Jun 07, 2020 at 11:12:52AM +0000, Manuela Mandache wrote:
May I suggest some changes in the man page of the module? I am willing to contribute, but I've never done this. If you welcome the idea, please let me know how should I proceed to it.
Please create an issue in the tracker: https://bugs.openldap.org
and contribute your suggested changes as a patch file or GitLab merge request, following https://www.openldap.org/devel/contributing.html
Thank you!
On 6/7/20 1:12 PM, Manuela Mandache wrote:
So I've built against libargon2, after changing the algorithm to argon2id in pw-argon2.c, and now everything is perfect.
This makes me wonder whether it's recommended to build against libargon2 or libsodium.
Could someone point me to links where I can read about recommendations for Argon2 parameters?
Many thanks in advance.
Ciao, Michael.
On 6/8/20 12:15 PM, Michael Ströder wrote:
Could someone point me to links where I can read about recommendations for Argon2 parameters?
https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/
https://argon2-cffi.readthedocs.io/en/stable/parameters.html
Python module argon2-cffi can be used as CLI tool to play with the parameters: https://hynek.me/articles/storing-passwords/
Ciao, Michael.
openldap-technical@openldap.org
-
Manuela Mandache -
Michael Ströder -
Ryan Tandy