Skip to content
Snippets Groups Projects
Normal view Permalink
slapd-pw-argon2.5 2.58 KiB
Newer Older
  • Learn to ignore specific revisions
    • Peter Marschall's avatar
    ITS#9203 contrib/passwd/argon2: add manual page
    Peter Marschall committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 
    .TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2020 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-pw-argon2 \- Argon2 password module to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.RS
.LP
.B moduleload pw-argon2
.RI [ <parameters> ]
.RE
.SH DESCRIPTION
.LP
The
.B pw-argon2
module to
.BR slapd (8)
provides support for the use of the key derivation function Argon2,
that was selected as the winner of the Password Hashing Competition in July 2015,
in hashed passwords in OpenLDAP.
.LP
It does so by providing the additional password scheme
.B {ARGON2}
for use in slapd.

.SH CONFIGURATION
The
.B pw-argon2
module does not need any configuration,
but it can be configured by giving the following parameters:
.TP
.BI m= <memory>
Set memory usage to
.I <memory>
kiB.
.TP
.BI p= <parallelism>
Set parallelism to
.I <parallelism>
threads.
.TP
.BI t= <iterations>
Set the number of iterations to
.IR <iterations> .
    Ryan Tandy's avatar
    ITS#9203 Remove default values from slapd-pw-argon2.5  
    Ryan Tandy committed
    47 48 
    .LP
These replace defaults when preparing hashes for new passwords where possible.
    Peter Marschall's avatar
    ITS#9203 contrib/passwd/argon2: add manual page
    Peter Marschall committed
    49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 
    .LP
After loading the module, the password scheme
.B {ARGON2}
will be recognised in values of the
.I userPassword
attribute.
.LP
You can then instruct OpenLDAP to use this scheme when processing
the LDAPv3 Password Modify (RFC 3062) extended operations by using the
.BR password-hash
option in
.BR slapd.conf (5):
.RS
.LP
.B password\-hash {ARGON2}
.RE
.LP

.SS NOTES
If you want to use the scheme described here with
.BR slappasswd (8),
remember to load the module using its command line options.
The relevant option/value is:
.RS
.LP
.B \-o
.BR module\-load = pw-argon2
.LP
.RE
Depending on
.BR pw-argon2 's
location, you may also need:
.RS
.LP
.B \-o
.BR module\-path = \fIpathspec\fP
.RE

.SH EXAMPLES
Both userPassword LDAP attributes below encode the password
.RI ' secret '
using different salts:
.EX
.LP
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
.LP
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
.EE

.SH SEE ALSO
.BR slapd.conf (5),
.BR ldappasswd (1),
.BR slappasswd (8),
.BR ldap (3),
.LP
.UR http://www.OpenLDAP.org/doc/
"OpenLDAP Administrator's Guide"
.UE
.LP

.SH ACKNOWLEDGEMENTS
This manual page has been written by Peter Marschall based on the
module's README file written by
.MT simon@levermann.de
Simon Levermann
.ME .
.LP
.B OpenLDAP
is developed and maintained by
.UR http://www.openldap.org/
The OpenLDAP Project
.UE .
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.