This bug was fixed in the package openldap - 2.6.10+dfsg-1ubuntu3
---------------
openldap (2.6.10+dfsg-1ubuntu3) resolute; urgency=medium
* Fix slapd apparmor profile (LP: #2119884)
- d/rules: fix dh_apparmor being skipped in -indep for -arch slapd package
- d/apparmor-profile: add systemd-notify support
- d/t/slapd: test if running in apparmor enforce mode
* d/rules: remove leftover bogus override_dh_auto_build target
* pbkdf2 iteration configuration support (LP: #2125685)
- d/p/lp2125685-pbkdf2-configurable-rounds: make iterations configurable
- d/p/lp2125685-pbkdf2-fix-iteration-arg: fix iteration argument index
- d/t/pbkdf2-contrib: test if pbkdf2 hashing rounds are adjustable
-- Jonas Jelten <[email protected]> Thu, 25 Sep 2025 15:45:49
+0200
** Changed in: openldap (Ubuntu Resolute)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2125685
Title:
pbkdf2 needs configurable hashing rounds for FIPS 140-3
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Jammy:
In Progress
Status in openldap source package in Noble:
In Progress
Status in openldap source package in Plucky:
In Progress
Status in openldap source package in Questing:
In Progress
Status in openldap source package in Resolute:
Fix Released
Bug description:
[ Impact ]
Add configurable rounds for pw-pbkdf2.so module
Without the ability to configure the iteration count, it is not
possible to meet current security best practices or achieve compliance
with FIPS 140-3, which requires configurable and sufficiently high
iteration counts for PBKDF2.
[ Test Plan ]
* install slapd and slapd-contrib
* before update: only supports hardcoded 10000 rounds:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
-> observe {PBKDF2-SHA512}10000$...
* after update, any round number can be configured:
slappasswd -o module-load="pw-pbkdf2.so 1337" -h {PBKDF2-SHA512}
-> observe {PBKDF2-SHA512}1337$...
[ Where problems could occur ]
* pbkdf2 password validation/hashing could get a regression
* Due to the configurable number amount, old passwords could become invalid
due do different round counts
[ Original Report ]
On Ubuntu 24.04, the OpenLDAP package ships with the library
/usr/lib/ldap/pw-pbkdf2.so.
While this module works for generating PBKDF2-SHA512 password hashes, it does
not provide an option to configure the number of iterations.
For example:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
generates a hash with a fixed iteration count (e.g. 10000) and does
not accept parameters to increase it.
In contrast, the upstream contrib module passwd/pbkdf2 on
https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-
modules/passwd/pbkdf2
supports the iteration count option and allows administrators to
configure it.
moduleload pw-pbkdf2.so [iterations]
Steps to reproduce:
Install OpenLDAP on Ubuntu 24.04. (slapd and slapd-contrib pakages)
Run
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$ZvU8GRSybbefW48n8BeyuA$XE1t4W09ZP0z8zmLVb/SbwaOl2Y
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2125685/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
