slappw−argon2 — Argon2 password module to slapd
ETCDIR/slapd.conf moduleload argon2
The argon2
module to slapd(8) provides support
for the use of the key derivation function Argon2, that was
selected as the winner of the Password Hashing Competition in
July 2015, in hashed passwords in OpenLDAP.
It does so by providing the additional password scheme
{ARGON2}
for use in
slapd.
The argon2
module does not need any configuration, but it can be
configured by giving the following parameters:
m=
<memory>
Set memory usage to <memory>
kiB.
p=
<parallelism>
Set parallelism to <parallelism>
threads. Currently supported only when linked with
libargon2
.
t=
<iterations>
Set the number of iterations to <iterations>
.
These replace defaults when preparing hashes for new passwords where possible.
After loading the module, the password scheme {ARGON2}
will be recognised
in values of the userPassword
attribute.
You can then instruct OpenLDAP to use this scheme when
processing the LDAPv3 Password Modify (RFC 3062) extended
operations by using the password-hash
option in
slapd.conf(5):
password−hash {ARGON2}
If you want to use the scheme described here with slappasswd(8), remember to load the module using its command line options. The relevant option/value is:
−o
module−load
=argon2
Or if non-default parameters are required:
−o
module−load
="argon2
[<param>
...]"
Depending on argon2
's location, you may
also need:
−o
module−path
=
pathspec
Both userPassword LDAP attributes below encode the
password 'secret
'
using different salts:
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
This manual page has been written by Peter Marschall based on the module's README file written by Simon Levermann
OpenLDAP
is
developed and maintained by The OpenLDAP
Project OpenLDAP
is derived from
University of Michigan LDAP 3.3 Release.