Debian Bug report logs - #746727
slapd: Please include slapd-sha2 contrib module

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Przybylski <mike.przybylski@appdynamics.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: slapd: Please include slapd-sha2 contrib module

Date: Fri, 02 May 2014 14:19:07 -0700

Package: slapd
Version: 2.4.31-1+nmu2
Severity: important
Tags: upstream

Dear Maintainer,

I ran into a particularly vexing problem with OpenLDAP:
I populated a user record with a SSHA-512 user password via Apache Directory
Studio and could verify that the password was correct, but I always got an
"invalid credentials" error when trying to bind with that dn and password.

As a workaround, I changed the userPassword fromat to SSHA, and was able to
bind successfully.

Could you please build and include this module with the slapd package?
https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2

Furthermore, would you please consider loading it by default when debconf
builds a new slapd.d?

Both actions would greatly improve the security and usability of OpenLDAP on
Debian.

Best regards,
Mike Przybylski

-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.13-3.5
ii  debconf [debconf-2.0]       1.5.49
ii  libc6                       2.13-38+deb7u1
ii  libdb5.1                    5.1.29-5
ii  libgcrypt11                 1.5.0-5+deb7u1
ii  libgnutls26                 2.12.20-8+deb7u1
ii  libldap-2.4-2               2.4.31-1+nmu2
ii  libltdl7                    2.4.2-1.1
ii  libodbc1                    2.2.14p2-5
ii  libperl5.14                 5.14.2-21+deb7u1
ii  libsasl2-2                  2.1.25.dfsg1-6+deb7u1
ii  libslp1                     1.2.1-9
ii  libwrap0                    7.6.q-24
ii  lsb-base                    4.1+Debian8+deb7u1
ii  multiarch-support           2.13-38+deb7u1
ii  perl [libmime-base64-perl]  5.14.2-21+deb7u1
ii  psmisc                      22.19-1+deb7u1

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.25.dfsg1-6+deb7u1

Versions of packages slapd suggests:
ii  ldap-utils  2.4.31-1+nmu2

-- debconf information:
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
  slapd/allow_ldap_v2: false
  slapd/password_mismatch:
  slapd/invalid_config: true
  shared/organization: mprzybylski.corp.appdynamics.com
  slapd/upgrade_slapcat_failure:
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: mprzybylski.corp.appdynamics.com
  slapd/backend: HDB
  slapd/dump_database: when needed

Message #10 received at 746727@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: Michael Przybylski <mike.przybylski@appdynamics.com>, 746727@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#746727: slapd: Please include slapd-sha2 contrib module

Date: Sun, 04 May 2014 19:16:57 -0700

[Message part 1 (text/plain, inline)]

severity 746727 wishlist
tags 746727 - upstream + confirmed pending
thanks

Hi Michael,

On 02/05/14 02:19 PM, Michael Przybylski wrote:
> I ran into a particularly vexing problem with OpenLDAP:
> I populated a user record with a SSHA-512 user password via Apache Directory
> Studio and could verify that the password was correct, but I always got an
> "invalid credentials" error when trying to bind with that dn and password.
> 
> As a workaround, I changed the userPassword fromat to SSHA, and was able to
> bind successfully.
> 
> Could you please build and include this module with the slapd package?
> https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2

Thanks for this suggestion. It was straightforward to add building and
installing this module to the package, and it seems to work properly,
f.ex. with olcPasswordHash set to a SHA2 hash. I've committed it to the
Git repository.

The implementation is Aaron Gifford's sha2.c, released under a BSD
license that is very similar to the OpenLDAP license. I think it should
be OK to use.

slappasswd(8) doesn't load additional modules by default, so to test
generating such a password by hand (f.ex. to use as olcRootPW) I had to
tell it to load the module:

  /usr/sbin/slappasswd -o module-load=pw-sha2 -h '{SSHA512}'

I wanted to check the behaviour when dealing with a malformed hash, so I
generated a hash with slappasswd(8) and copied it into olcRootPW, but
truncated it a couple of characters before the end. Then slapd(8)
crashed in SHA512_Transform (in sha2.c) when I tried to authenticate!

I performed the same exercise with a built-in hash (SSHA) and got
"Invalid credentials" instead of a crash. Obviously passwords set using
ldappasswd(1) wouldn't have that problem, but it makes me wonder whether
it contains other bugs. (Yes, I'll try to find time to fix this one soon.)

> Furthermore, would you please consider loading it by default when debconf
> builds a new slapd.d?

I personally think the default configuration should load only the
strictly needed modules, and wait for the administrator to add more. I'm
especially not enthusiastic about depending on code from contrib/ in the
default setup, because it doesn't receive as much attention from the
OpenLDAP maintainers as the core code does; see for example the crasher
I already found. So for those reasons I have not made that change. Maybe
another committer has a different opinion.

thanks,
Ryan

[build-and-install-pwsha2.patch (text/x-patch, attachment)]

Message #21 received at 746727@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 746727@bugs.debian.org

Cc: Michael Przybylski <mike.przybylski@appdynamics.com>

Subject: Re: [Pkg-openldap-devel] Bug#746727: Bug#746727: slapd: Please include slapd-sha2 contrib module

Date: Sun, 11 May 2014 20:02:00 -0700

On 04/05/14 07:16 PM, Ryan Tandy wrote:
> I wanted to check the behaviour when dealing with a malformed hash, so I
> generated a hash with slappasswd(8) and copied it into olcRootPW, but
> truncated it a couple of characters before the end. Then slapd(8)
> crashed in SHA512_Transform (in sha2.c) when I tried to authenticate!

That turned out to affect more than just slapd-sha2. Filed upstream:

http://www.openldap.org/its/?findid=7851

thanks,
Ryan

Message #26 received at 746727@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 746727@bugs.debian.org

Cc: 592362@bugs.debian.org

Subject: cn=config olcPasswordHash and contrib passwd modules

Date: Thu, 26 Jun 2014 22:24:17 -0700

Quanah noticed, and mentioned to me in IRC, that if you are using 
cn=config and you set olcPasswordHash to a scheme provided by a module, 
then slapd won't start, because it processes the global cn=config before 
diving into the cn=module subtree(s). (It does work if you use 
slapd.conf and specify moduleload before password-hash.)

I think this doesn't affect pw-netscape and pw-apr1 too badly, since 
they are meant for importing existing hashes and shouldn't be used as 
the scheme for new users; but users of pw-sha2 and pw-pbkdf2 are likely 
to hit this.

I had already added pw-sha2 in git; I'm going to leave it as is for the 
moment, pending reaction from upstream, but this should be considered 
before uploading that.

thanks,
Ryan

Message #33 received at 746727@bugs.debian.org (full text, mbox, reply):

From: Luca Bruno <lucab@debian.org>

To: 746727@bugs.debian.org

Subject: #746727 slapd: Please include slapd-sha2 contrib module

Date: Mon, 20 Oct 2014 12:43:29 +0200

[Message part 1 (text/plain, inline)]

Hi all,
as a sidenote, pw-pbkdf2 currently uses openssl EVP module to perform hashing 
and verification (via PKCS5_PBKDF2_HMAC_SHA1).

We are currently building against gnutls, so this requires an appropriate 
amount of #ifdef and gnutls support before it could be shipped.

Cheers, Luca

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 746727-close@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 746727-close@bugs.debian.org

Subject: Bug#746727: fixed in openldap 2.4.40-2

Date: Tue, 21 Oct 2014 21:43:23 +0000

Source: openldap
Source-Version: 2.4.40-2

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 746727@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 20 Oct 2014 22:19:24 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.40-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 701111 746727 761406
Changes:
 openldap (2.4.40-2) unstable; urgency=medium
 .
   * Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
   * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
     dpkg-buildflags. Spotted by Lintian.
   * debian/slapd.init.ldif: Don't bother explicitly granting rights to the
     rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
   * Recommend MDB for new installations, per upstream's recommendation.
   * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
     for example if the active backend doesn't use it. Thanks Ferenc Wagner.
   * On upgrade, if an access rule begins with "to * by self write", show a
     debconf note warning that it should be changed. (Closes: #761406)
   * Build and install the lastbind contrib module. (Closes: #701111)
   * Build and install the passwd/sha2 contrib module. (Closes: #746727)
Checksums-Sha1:
 f255aedfeb1ffd74a7cc4ab2819ee8de9ad0965e 2756 openldap_2.4.40-2.dsc
 4a9e02ebcea4854949bd5ef5b6fbb0f21be8aa0c 172175 openldap_2.4.40-2.diff.gz
Checksums-Sha256:
 6d75cf7234c5b999a513e46aafc5a846cd452c3759115a2a77ae3887c0d5ced5 2756 openldap_2.4.40-2.dsc
 c92a2bd3cb60293b841be7e63e702dee4b2a06d528232bf2fa96181c08149b14 172175 openldap_2.4.40-2.diff.gz
Files:
 c81d0e81391ffc689e4e63b78c32d466 2756 net optional openldap_2.4.40-2.dsc
 306c37b6614c77555d213b6caff5a3d0 172175 net optional openldap_2.4.40-2.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJURr8yAAoJEKmDSiJSB45OxrIQAKR1ubH5/4s599Ab5Z9mTBpw
WVmwb6I3PDZDzitkYR6aB9X64GMFiOvv8AwcZ6CxkYF+nSuAWS2uE9niZ7jdpFEA
trFn/Bqg7mnyP7gZR5kdXz7tMlR5V008oljgrfVbEaQk35yWUaspp7Oo1UFABNkW
V0rbuFc9FoPbwwZAUVz7q6n9wSJI7XwfmNRcgt/ghVZmQivo0EOwhEeXCJNeyzvW
p2/1NevuIJHzLC+dTavQh5r+k2xXhbEWVpASPlbNTkpadc4vtd7NCYoaJAfATXv9
5mM23my9l0wNNW/OliXc174XjA1RjUZGRkT984NPxTzsRTmd6h14MTsfakgfej7o
fNKPLizuGDupE/CaS8nDwU5Qiq+Q7abr5F4sRcHrC3j6WyFY29HvRs5DqjGXI1x2
tPsz1C8b6YNMpeUVUm2lw3TlFiHzIZV13Hru5ByJc2gDKPJNY3/9or587gH2KTuD
zEy3xT8Azn+jq62A79uEKE4CPGWbl1PSEZksiBvhjEImHiT1LiE81OlReODFDkNi
Slf+zPy8VUQjDYkYxJph//oNFAGrjLBjOcjA1F0A8oBTQ1k2N5yy7w/6/uFVLsi7
M1vM7hmtUjqOQHEw0pDIbuLpEWhZCN3Y3L8Isa7Wfpc4PFvNuvHbAwP93d2sr7Kd
TameINCyBq3AClnAuXdr
=SRLj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.