Home / server / Questions / 1057900
In Process
Roberto
Asked: 2021-03-23 10:49:06 +0800 CST

Use bcrypt password hashing with OpenLDAP (slapd)

  • 772

I have an OpenLDAP LDAP server on Debian 9 (through the slapd package, v2.4.44). We use crypt for password authentication. Currently the scheme is SHA512: $5$....
The setup is pretty much as described in this question: How to use SHA-256 hashed (and salted) passwords from OpenLDAP in pam_ldap? (and see https://en.wikipedia.org/wiki/Crypt_(C))

I was thinking I would try to upgrade from SHA512 to bcrypt (blowfish hashes, $2y$...) since they are much harder to crack.

The beauty about the crypt back-end is the scheme is saved in the password itself. So to test bcrypt I can just log into my LDAP browser and change my own password to {CRYPT}$2y$10$...$, using an online tool to produce the hash.

However, if I now try to login with that account, it says my credentials are invalid.

For the record, with the process described I can successfully change the hash to other types and still login. It seems that bcrypt specifically is not recognized, but I expect the option to be there.

So, what else do I need to do to let OpenLDAP work with bcrypt?

password openldap slapd bcrypt

2 Answers

  1. I got it to work. It seems the shipped version of libcrypt simply does not support bcrypt.

    Following this blog from 2019, I downloaded and build an extension to libcrypt that does include bcrypt (and is backwards compatible)

    I'll copy the steps in case the blog disappears:

    • Clone or download the libxcrypt library: https://github.com/besser82/libxcrypt (I got version 4.4.3)
    • Build the source with:
      $ ./bootstrap && ./configure && make
      • You might require the packages autoconf, automake, libtool and pkg-config (see the repo Readme for further instructions)
    • Install the freshly compiled libcrypt:
      $ cp ./.libs/libcrypt.so.1.1.0 /lib/x86_64-linux-gnu
    • Backup the old libcrypt:
      $ cd /lib/x86_64-linux-gnu && cp libcrypt.so.1 libcrypt.so.1.0.0
    • And now replace libcrypt with a link to the new version:
      $ rm libcrypt.so.1 && ln -s libcrypt.so.1.1.0 libcrypt.so.1

    Warning: With libcrypt missing or corrupt, your system cannot perform any authentications! Including logins and sudo ... commands. So make sure to replace the file in one go and be prepared for a complete lock-out

    With these changes {CRYPT}$2y$... hashes are accepted!
    I use the PHP crypt() function to create new password hashes.

    • 1

  2. There is an unofficial bcrypt module for OpenLDAP at https://github.com/wclarie/openldap-bcrypt/

    However I would strongly advise instead using an OpenLDAP build that includes support for Argon2 password hashes.

    • 0