slappw-argon2.5 2.73 KB
Newer Older
1
.TH SLAPPW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
2
.\" Copyright 2020-2021 The OpenLDAP Foundation All Rights Reserved.
3
4
5
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
6
slappw\-argon2 \- Argon2 password module to slapd
7
8
9
10
.SH SYNOPSIS
ETCDIR/slapd.conf
.RS
.LP
11
.B moduleload argon2
12
13
14
15
16
.RI [ <parameters> ]
.RE
.SH DESCRIPTION
.LP
The
17
.B argon2
18
19
20
21
22
23
24
25
26
27
28
29
module to
.BR slapd (8)
provides support for the use of the key derivation function Argon2,
that was selected as the winner of the Password Hashing Competition in July 2015,
in hashed passwords in OpenLDAP.
.LP
It does so by providing the additional password scheme
.B {ARGON2}
for use in slapd.

.SH CONFIGURATION
The
30
.B argon2
31
32
33
34
35
36
37
38
39
40
41
module does not need any configuration,
but it can be configured by giving the following parameters:
.TP
.BI m= <memory>
Set memory usage to
.I <memory>
kiB.
.TP
.BI p= <parallelism>
Set parallelism to
.I <parallelism>
42
43
threads. Currently supported only when linked with
.BR libargon2 .
44
45
46
47
.TP
.BI t= <iterations>
Set the number of iterations to
.IR <iterations> .
48
49
.LP
These replace defaults when preparing hashes for new passwords where possible.
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
.LP
After loading the module, the password scheme
.B {ARGON2}
will be recognised in values of the
.I userPassword
attribute.
.LP
You can then instruct OpenLDAP to use this scheme when processing
the LDAPv3 Password Modify (RFC 3062) extended operations by using the
.BR password-hash
option in
.BR slapd.conf (5):
.RS
.LP
.B password\-hash {ARGON2}
.RE
.LP

.SS NOTES
If you want to use the scheme described here with
.BR slappasswd (8),
remember to load the module using its command line options.
The relevant option/value is:
.RS
.LP
.B \-o
76
.BR module\-load = argon2
77
78
.LP
.RE
79
80
81
82
83
84
85
86
Or if non-default parameters are required:
.RS
.LP
.B \-o
.BR module\-load =" argon2
.RB [ <param> ...]"
.LP
.RE
87
Depending on
88
.BR argon2 's
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
location, you may also need:
.RS
.LP
.B \-o
.BR module\-path = \fIpathspec\fP
.RE

.SH EXAMPLES
Both userPassword LDAP attributes below encode the password
.RI ' secret '
using different salts:
.EX
.LP
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
.LP
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
.EE

.SH SEE ALSO
.BR slapd.conf (5),
.BR ldappasswd (1),
.BR slappasswd (8),
.BR ldap (3),
.LP
.UR http://www.OpenLDAP.org/doc/
"OpenLDAP Administrator's Guide"
.UE
.LP

.SH ACKNOWLEDGEMENTS
This manual page has been written by Peter Marschall based on the
module's README file written by
.MT simon@levermann.de
Simon Levermann
.ME .
.LP
.B OpenLDAP
is developed and maintained by
.UR http://www.openldap.org/
The OpenLDAP Project
.UE .
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.