Source: openldap
Version: 2.4.49+dfsg-3
Severity: normal
Tags: patch upstream
Hi,
the pw-argon2 password module, which was backported from upstream master,
lacks a manual page.
Please find attached patches to upstream to fix the issue not only for Debian
but for all OpenLDAP users.
(@Ryan: thanks for implementing some of the changes I proposed to upstream's
ITS)
Thanks for working on OpenLDAP upstream and maintaining it in Debian
Peter
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
>From b32a42144df54e6872113fcf5ccb561ecad47878 Mon Sep 17 00:00:00 2001
From: Peter Marschall <pe...@adpm.de>
Date: Sun, 5 Apr 2020 14:20:57 +0200
Subject: [PATCH 1/2] contrib/passwd/argon2: add manual page
Add manual page slapd-pw-argon2.5 and make sure it gets installed.
Signed-off-by: Peter Marschall <pe...@adpm.de>
---
contrib/slapd-modules/passwd/argon2/Makefile | 14 ++-
.../passwd/argon2/slapd-pw-argon2.5 | 97 +++++++++++++++++++
2 files changed, 110 insertions(+), 1 deletion(-)
create mode 100644 contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5
diff --git a/contrib/slapd-modules/passwd/argon2/Makefile
b/contrib/slapd-modules/passwd/argon2/Makefile
index b35d7a36f..093bd8fb0 100644
--- a/contrib/slapd-modules/passwd/argon2/Makefile
+++ b/contrib/slapd-modules/passwd/argon2/Makefile
@@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
$(LDAP_BUILD)/libraries/liblber/liblber.la
LIBTOOL = $(LDAP_BUILD)/libtool
+INSTALL = /usr/bin/install
CC = gcc
OPT = -g -O2 -Wall
#DEFS = -DSLAPD_ARGON2_DEBUG
@@ -27,6 +28,7 @@ $(error Unsupported implementation $(implementation))
endif
PROGRAMS = pw-argon2.la
+MANPAGES = slapd-pw-argon2.5
LTVER = 0:0:0
#prefix=/usr/local
@@ -38,6 +40,8 @@ ldap_subdir=/openldap
libdir=$(exec_prefix)/lib
libexecdir=$(exec_prefix)/libexec
moduledir = $(libexecdir)$(ldap_subdir)
+mandir = $(exec_prefix)/share/man
+man5dir = $(mandir)/man5
.SUFFIXES: .c .o .lo
@@ -53,8 +57,16 @@ pw-argon2.la: pw-argon2.lo
clean:
rm -rf *.o *.lo *.la .libs
-install: $(PROGRAMS)
+install: install-lib install-man FORCE
+
+install-lib: $(PROGRAMS)
mkdir -p $(DESTDIR)$(moduledir)
for p in $(PROGRAMS) ; do \
$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
done
+
+install-man: $(MANPAGES)
+ mkdir -p $(DESTDIR)$(man5dir)
+ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
+
+FORCE:
diff --git a/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5
b/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5
new file mode 100644
index 000000000..a8b6a8022
--- /dev/null
+++ b/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5
@@ -0,0 +1,97 @@
+.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2020 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapd-pw-argon2 \- Argon2 password module to slapd
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.RS
+.LP
+.B moduleload
+.B pw-argon2
+.RE
+.SH DESCRIPTION
+.LP
+The
+.B pw-argon2
+module to
+.BR slapd (8)
+provides support for the use of the key derivation function Argon2,
+that was selected as the winner of the Password Hashing Competition in July
2015,
+in hashed passwords in OpenLDAP.
+.LP
+It does so by providing the additional password scheme
+.B {ARGON2}
+for use in slapd.
+
+.SH CONFIGURATION
+The
+.B pw-argon2
+module does not need any configuration.
+.LP
+After loading the module, the password scheme
+.B {ARGON2}
+will be recognised in values of the
+.I userPassword
+attribute.
+.LP
+You can then instruct OpenLDAP to use this scheme when processing
+the LDAPv3 Password Modify (RFC 3062) extended operations by using the
+.BR password-hash
+option in
+.BR slapd.conf (5):
+.RS
+.LP
+.BR password-hash {ARGON2}
+.RE
+.LP
+
+.SS NOTES
+If you want to use the scheme described here with
+.BR slappasswd (8),
+remember to load the module using its command line options.
+The relevant option/value is:
+.RS
+.LP
+.B \-o
+.BR module\-load = pw-argon2
+.LP
+.RE
+Depending on
+.BR pw-argon2 's
+location, you may also need:
+.RS
+.LP
+.B \-o
+.BR module\-path = \fIpathspec\fP
+.RE
+
+.SH EXAMPLES
+Both userPassword LDAP attributes below encode the password
+.RI ' secret '
+using different salts:
+.EX
+.LP
+userPassword:
{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
+.LP
+userPassword:
{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
+.EE
+
+.SH SEE ALSO
+.BR slapd.conf (5),
+.BR ldappasswd (1),
+.BR slappasswd (8),
+.BR ldap (3),
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.LP
+
+.SH ACKNOWLEDGEMENTS
+This manual page has been written by Peter Marschall based on the
+module's README file written by Simon Levermann <si...@levermann.de>
+.LP
+.B OpenLDAP
+is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
+.B OpenLDAP
+is derived from University of Michigan LDAP 3.3 Release.
--
2.25.1
>From 8e4b1e07d6de8a6f743c7b322950a9d484b945da Mon Sep 17 00:00:00 2001
From: Peter Marschall <pe...@adpm.de>
Date: Sun, 5 Apr 2020 16:31:25 +0200
Subject: [PATCH 2/2] contrib/passwd/argon2: update README to changed module
name
Change all occurrences of 'slapd-argon2' to 'slapd-pw-argon2'
Signed-off-by: Peter Marschall <pe...@adpm.de>
---
contrib/slapd-modules/passwd/argon2/README | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/contrib/slapd-modules/passwd/argon2/README
b/contrib/slapd-modules/passwd/argon2/README
index 656df8f72..c7aa3652f 100644
--- a/contrib/slapd-modules/passwd/argon2/README
+++ b/contrib/slapd-modules/passwd/argon2/README
@@ -1,7 +1,7 @@
Argon2 OpenLDAP support
----------------------
-slapd-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
+slapd-pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
instance, one could have the LDAP attribute:
userPassword:
{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
@@ -22,13 +22,13 @@ For initial testing you might also want to edit DEFS to
define
SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on
in production, as it prints passwords in cleartext).
-2) Run 'make' to produce slapd-argon2.so
+2) Run 'make' to produce slapd-pw-argon2.so
-3) Copy slapd-argon2.so somewhere permanent.
+3) Copy slapd-pw-argon2.so somewhere permanent.
4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
-moduleload ...path/to/slapd-argon2.so
+moduleload ...path/to/slapd-pw-argon2.so
5) Restart slapd.
--
2.25.1
