Hi Jonas, That looks great — the test instructions are clear and reasonable. Thank you very much for your work on this!
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2125685 Title: pbkdf2 module not make iterations configurable and FIPS 140-3 Status in openldap package in Ubuntu: In Progress Status in openldap source package in Jammy: In Progress Status in openldap source package in Noble: In Progress Status in openldap source package in Plucky: In Progress Status in openldap source package in Questing: In Progress Bug description: [ Impact ] Add configurable rounds for pw-pbkdf2.so module Without the ability to configure the iteration count, it is not possible to meet current security best practices or achieve compliance with FIPS 140-3, which requires configurable and sufficiently high iteration counts for PBKDF2. [ Test Plan ] * install slapd and slapd-contrib * only supports hardcoded 10000 rounds: slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512} -> observe {PBKDF2-SHA512}10000$... * after update, any round number can be configured: slappasswd -o module-load="pw-pbkdf2.so 1337" -h {PBKDF2-SHA512} -> observe {PBKDF2-SHA512}1337$... [ Where problems could occur ] * pbkdf2 password validation/hashing could get a regression * Due to the configurable number amount, old passwords could become invalid due do different round counts [ Original Report ] On Ubuntu 24.04, the OpenLDAP package ships with the library /usr/lib/ldap/pw-pbkdf2.so. While this module works for generating PBKDF2-SHA512 password hashes, it does not provide an option to configure the number of iterations. For example: slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512} generates a hash with a fixed iteration count (e.g. 10000) and does not accept parameters to increase it. In contrast, the upstream contrib module passwd/pbkdf2 on https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd- modules/passwd/pbkdf2 supports the iteration count option and allows administrators to configure it. moduleload pw-pbkdf2.so [iterations] Steps to reproduce: Install OpenLDAP on Ubuntu 24.04. (slapd and slapd-contrib pakages) Run slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret {PBKDF2}10000$ZvU8GRSybbefW48n8BeyuA$XE1t4W09ZP0z8zmLVb/SbwaOl2Y To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2125685/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
