Cannot add pbkdf2 password scheme to sladpd

[thomasdarimont]

In order to integrate with an existing system which hashes user passwords with PBKDF2, I need to get the pw-pbkdf2 password scheme working with OpenLDAP. I'm now having trouble getting the pw-pbkdf2 to work, OpenLDAPs slappasswd complains with cannot find the library and/or scheme not recognized, although it seems that the libs are at the right place. Perhaps I'm just missing a dependency in the image.

Any ideas?

I followed to build instructions in [1] and compiled the shared lib. Then I created a custom Docker image and copied the lib files pw-pbkdf2.* to the appropriate? target directory /usr/lib/ldap/ in the image.

My Dockerfile (I copied to libs from the build to $PWD/pbkdf2)

FROM osixia/openldap:1.2.1
ADD pbkdf2/ /usr/lib/ldap/

Build the image

docker build -t tdlabs/openldap:1.2.1.3 .

Running the image

docker run \
  --name demo-iam-ldap \
  --env LDAP_TLS=false \
  --env LDAP_ORGANISATION="Acme Inc." \
  --env LDAP_DOMAIN="acme.org" \
  --env LDAP_BASE_DN="ou=users,dc=acme,dc=org" \
  --env LDAP_ADMIN_PASSWORD="JonSn0w" \
  --volume $PWD/ldif:/tmp/ldif:ro \
  --volume $PWD/data:/var/lib/ldap \
  --detach \
  -p 389:389 \
  tdlabs/openldap:1.2.1.3

The libs seem to end up in the right folder:

root@0db84110f6cd:/# ls -aflh /usr/lib/ldap/pw-*
-rw-r--r--. 1 root root 26K Aug  3 21:59 /usr/lib/ldap/pw-pbkdf2.a
-rw-r--r--. 1 root root 950 Aug  3 21:59 /usr/lib/ldap/pw-pbkdf2.la
lrwxrwxrwx. 1 root root  18 Aug  3 22:01 /usr/lib/ldap/pw-pbkdf2.so -> pw-pbkdf2.so.0.0.0
lrwxrwxrwx. 1 root root  18 Aug  3 22:01 /usr/lib/ldap/pw-pbkdf2.so.0 -> pw-pbkdf2.so.0.0.0
-rwxr-xr-x. 1 root root 26K Aug  3 21:59 /usr/lib/ldap/pw-pbkdf2.so.0.0.0
-rw-r--r--. 1 root root 940 Aug 10  2017 /usr/lib/ldap/pw-sha2.la
lrwxrwxrwx. 1 root root  16 Aug 10  2017 /usr/lib/ldap/pw-sha2.so -> pw-sha2.so.0.0.0
lrwxrwxrwx. 1 root root  16 Aug 10  2017 /usr/lib/ldap/pw-sha2.so.0 -> pw-sha2.so.0.0.0
-rw-r--r--. 1 root root 22K Aug 10  2017 /usr/lib/ldap/pw-sha2.so.0.0.0

Generating SSHA password hashes works (for testing)

$ docker exec -it demo-iam-ldap slappasswd -h {SSHA} -s secret
{SSHA}FlzDTza9/HltI9nEHvvaaFiYt64cI70W

Generating PBKDF2 password hashes fail:

$ docker exec -it demo-iam-ldap slappasswd -h {PBKDF2} -s secret
Password generation failed for scheme {PBKDF2}: scheme not recognized

Also explicitly declaring the module doesn't work:

$ docker exec -it demo-iam-ldap slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
5b657fb3 lt_dlopenext failed: (pw-pbkdf2.la) file not found

[1] https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/passwd/pbkdf2

[Mindavi]

Did you get this to work?

I've got a few questions, if you do remember:

• Did you add the configuration as stated in the linked readme?

In slapd.conf:

    moduleload pw-pbkdf2.so

You can also tell OpenLDAP to use the schemes when processing LDAP
Password Modify Extended Operations, thanks to the password-hash
option in slapd.conf. For example:

    password-hash {PBKDF2}
or
    password-hash {PBKDF2-SHA256}
or
    password-hash {PBKDF2-SHA512}

• Where did you get the pbkdf2 binaries from?

[thomasdarimont]

@Mindavi I build the pbkdf2 binaries myself with the Makefile contained in the contrib/slapd-modules/password folder. See: https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/passwd/pbkdf2

The readme states that slapd.conf is not used by the docker container, see: https://github.com/osixia/docker-openldap/blob/stable/README.md#edit-your-server-configuration

Therefore I also tried to create a drop-in config file with:

pbkdf2.conf:

moduleload pw-pbkdf2.so

that I add to the docker image via (in the Dockerfile):

ADD pbkdf2.conf /etc/ldap/slapd.d/pbkdf2.conf

But it still doesn't recognize the PBKDF2 password-hash.

[thomasdarimont]

Update, I think I got it working now: \o/

$ slappasswd -o module-load=/usr/lib/ldap/pw-pbkdf2.la -h '{PBKDF2-SHA256}' -s secret
{PBKDF2-SHA256}10000$0IHrGrBOhFpxzqpBwp12RA$HfSHBRSiVH5mGBdUSciZdKjgsMLi9fyd88E5Uip2IU4

$ slappasswd -o module-load=/usr/lib/ldap/pw-pbkdf2.la -h '{PBKDF2-SHA512}' -s secret
{PBKDF2-SHA512}10000$niFbcFyjjYqXz3Due4F1Jw$DY20fDOvHyKsz0SHpy1xcGnUiMJ0rRGlMEPAt6S5IzuuwVKw77ZfSYiQU1RtF0PcTg0UBeE0mS60X6.cYJ9ITQ

$ slappasswd -o module-load=/usr/lib/ldap/pw-pbkdf2.la -h '{PBKDF2-SHA1}' -s secret
{PBKDF2-SHA1}10000$+.Hm.JAR2iWc.1lKLYmIPw$k6WHMvE610kg1WQAYg/jgnVQlUU

Needed to install some debugging tools in the docker container to figure out that some dependencies were missing... before:

ldd /usr/lib/ldap/pw-pbkdf2.so.0
    linux-vdso.so.1 (0x00007ffde9cca000)
    libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f04ecbd6000)
    liblber-2-devel.so.0 => not found
    libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f04ec73d000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f04ec39e000)
    liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f04ec18f000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f04ebf78000)
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f04ebd5d000)
    libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f04eb9c4000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f04eb7a7000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f04eb5a3000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f04ed02a000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f04eb389000)
    libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f04eb124000)
    libidn.so.11 => /lib/x86_64-linux-gnu/libidn.so.11 (0x00007f04eaef0000)
    libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f04eacdd000)
    libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f04eaaa6000)
    libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f04ea871000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f04ea5ee000)
    libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f04ea3e5000)

the missing library liblber-2-devel.so.0 was part of the openldap build and the docker image contains another version.

$ locate liblber-2
/root/openldap/libraries/liblber/.libs/liblber-2-devel.so.0
/root/openldap/libraries/liblber/.libs/liblber-2-devel.so.0.0.0
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
/usr/lib/x86_64-linux-gnu/libllocate liblber-2
/root/openldap/libraries/liblber/.libs/liblber-2-devel.so.0
/root/openldap/libraries/liblber/.libs/liblber-2-devel.so.0.0.0
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.10.10

As a workaround I copied the liblber-2-devel.so.0.0.0 files to /usr/lib/x86_64-linux-gnu/ such that the dependencies could be resolved correctly.

after:

$ ldd /usr/lib/ldap/pw-pbkdf2.so.0
    linux-vdso.so.1 (0x00007ffeecd72000)
    libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007fe8666f4000)
    liblber-2-devel.so.0 => /usr/lib/x86_64-linux-gnu/liblber-2-devel.so.0 (0x00007fe8664e6000)
    libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fe86604d000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe865cae000)
    liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007fe865a9f000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fe865888000)
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fe86566d000)
    libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fe8652d4000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe8650b7000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe864eb3000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fe866b48000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fe864c99000)
    libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fe864a34000)
    libidn.so.11 => /lib/x86_64-linux-gnu/libidn.so.11 (0x00007fe864800000)
    libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fe8645ed000)
    libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007fe8643b6000)
    libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007fe864181000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fe863efe000)
    libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007fe863cf5000)

If anybody knows a better way to fix this issue, I'd love to learn it :)

[Mindavi]

I've made a dockerfile with the instructions you gave (I didn't need to copy the libraries however, maybe you built them against other libraries, e.g. ubuntu instead of debian). This seems to run the commands you gave above just fine.

from debian:stretch-slim as builder
RUN apt-get -qq update && apt-get -qq -y install git > /dev/null
RUN git clone --quiet --branch OPENLDAP_REL_ENG_2_4_47 --depth 1 git://git.openldap.org/openldap.git openldap
RUN apt-get -qq update && apt-get -qq -y install man-db libdb5.3-dev libssl-dev autoconf build-essential libtool libldap2-dev > /dev/null
WORKDIR /openldap
RUN ./configure --enable-modules
RUN make depend
RUN make --jobs
WORKDIR /openldap/contrib/slapd-modules/passwd/pbkdf2
RUN make --jobs
RUN mkdir tocopy && cp pw-pbkdf2.la .libs/pw-pbkdf2.so .libs/pw-pbkdf2.so.0 .libs/pw-pbkdf2.so.0.0.0 tocopy

FROM osixia/openldap:1.2.3
COPY --from=builder /openldap/contrib/slapd-modules/passwd/pbkdf2/tocopy /usr/lib/ldap/

[Mindavi]

The only thing I need to get working now is loading the module when slapd is running

[thomasdarimont]

Nice!

Your build is quite handy, thanks :)

Btw. you could also add support for customizing the PBKDF2 iteration count with a build arg, e.g.

ARG PBKDF2_ITERATION=27500
RUN sed -i "s/#define PBKDF2_ITERATION [[:digit:]]\+/#define PBKDF2_ITERATION $PBKDF2_ITERATION/g" pw-pbkdf2.c

Isn't it enough to add moduleload pw-pbkdf2.so to slapd.conf or /etc/ldap/slapd.d/pbkdf2.conf with that line to load the module?

[col-panic]

I'm facing the same requirement now. But with the current version one has to simply add the slapd-contrib package to add some additional modules

/usr/lib/ldap/pw-apr1.la
/usr/lib/ldap/pw-apr1.so.0.0.0
/usr/lib/ldap/pw-netscape.la
/usr/lib/ldap/pw-netscape.so.0.0.0
/usr/lib/ldap/pw-pbkdf2.la
/usr/lib/ldap/pw-pbkdf2.so.0.0.0
/usr/lib/ldap/smbk5pwd.la
/usr/lib/ldap/smbk5pwd.so.0.0.0

Do you have a specific reason, not to include this package on building the image?

[michield]

Just in case someone bumps into this, this seems to work for me:

Create a file "/tmp/pw-pbkdf2" with contents

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-pbkdf2

and run the command

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/pw-pbkdf2