Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

openldap-server: enable crypt(3) passwords

Browse source 
With crypt(3) password storage scheme enabled, OpenLDAP can receive and
store SHA-256 and SHA-512 password hashes from Samba AD-DC. Without
crypt(3), synchronization of passwords between Samba AD-DC (v4.5 and
above) and OpenLDAP requires use of cleartext passwords.

To use password hashes from Samba, OpenLDAP must be compiled with
--enable-crypt switch. This patch introduces a new configuration
parameter to enable the use of crypt(3) function by OpenLDAP.

Enabling crypt(3) increases the size of slapd binary by 12 bytes on
the x86_64 target and by only 4 bytes on the ipq806x target.

Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
This commit is contained in:
Val Kulkov 2019-01-22 14:55:20 -05:00
parent 1acacbbf6c
commit e3d246d610
1 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
libs/openldap/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openldap PKG_NAME:=openldap
PKG_VERSION:=2.4.47 PKG_VERSION:=2.4.47
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=https://gpl.savoirfairelinux.net/pub/mirrors/openldap/openldap-release/ \ PKG_SOURCE_URL:=https://gpl.savoirfairelinux.net/pub/mirrors/openldap/openldap-release/ \
@ -24,6 +24,7 @@ PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS := \ PKG_CONFIG_DEPENDS := \
CONFIG_OPENLDAP_DEBUG \ CONFIG_OPENLDAP_DEBUG \
CONFIG_OPENLDAP_CRYPT \
CONFIG_OPENLDAP_MONITOR \ CONFIG_OPENLDAP_MONITOR \
CONFIG_OPENLDAP_DB47 \ CONFIG_OPENLDAP_DB47 \
CONFIG_OPENLDAP_ICU CONFIG_OPENLDAP_ICU
@ -53,6 +54,25 @@ define Package/libopenldap/config
help help
Enable debugging information. This option must be enabled Enable debugging information. This option must be enabled
for the loglevel directive to work. for the loglevel directive to work.
config OPENLDAP_CRYPT
bool "Crypt(3) passwords support"
default n
help
With crypt(3) password storage scheme enabled, OpenLDAP can
receive and store SHA-256 and SHA-512 password hashes from
Samba AD-DC. If this option is disabled, synchronization of
passwords between Samba AD-DC (v4.5 and above) and OpenLDAP
requires use of cleartext passwords.
To enable crypt(3) password synchronization functionality:
1. Re-include crypt(3) support in OpenWRT by enabling 'Include
crypt() support for SHA256, SHA512 and Blowfish ciphers' option
in "Advanced configuration options (for developers)" ->
"Toolchain Options".
2. Provision AD-DC with 'password hash userPassword schemes'
option. For more information, see smb.conf manpage for details
on 'password hash userPassword schemes'.
3. Use a script to synchronize passwords from AD-DC to
OpenLDAP. See samba-tool manpage for 'user syncpasswords'.
config OPENLDAP_MONITOR config OPENLDAP_MONITOR
bool "Enable monitor backend" bool "Enable monitor backend"
default n default n
@ -121,6 +141,12 @@ CONFIGURE_ARGS += \
--disable-relay --disable-relay
ifdef CONFIG_OPENLDAP_CRYPT
CONFIGURE_ARGS+= --enable-crypt
else
CONFIGURE_ARGS+= --disable-crypt
endif
ifdef CONFIG_OPENLDAP_MONITOR ifdef CONFIG_OPENLDAP_MONITOR
CONFIGURE_ARGS+= --enable-monitor CONFIGURE_ARGS+= --enable-monitor
else else