View Issue Details

IDProjectCategoryView StatusLast Update
0001024Rocky-Linux-8Generalpublic2023-11-21 23:18
Reportersylvain guyot Assigned ToLouis Abel  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionwon't fix 
Summary0001024: openldap rpm is not compiled with sha2 module as it is done in centos7 rpm
Descriptionopenldap rpm r8 (version 2.4.46) on rocky linux 8 is not compiled with sha2 module (as it is done in centos7 rpm)
https://git.rockylinux.org/staging/rpms/openldap/-/blob/r8/SPECS/openldap.spec

We are not able to hash password with SSHA512
The following command fails : slappasswd -h {SSHA512} -o module-path=/usr/lib64/openldap -o module-load=pw-sha2 -s password
Could you modify the rpm build of the version 2.4 (r8) to include the module pw-sha2 ?
Steps To ReproduceLaunch the command :
slappasswd -h {SSHA512} -o module-path=/usr/lib64/openldap -o module-load=pw-sha2 -s password
Additional InformationIn centos spec (https://git.centos.org/rpms/openldap/blob/c7/f/SPECS/openldap.spec) we have the following lines to compile the sha2 module :
# build sha2 with other overlays
ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \
      servers/slapd/overlays
ls servers/slapd/overlays
mv contrib/slapd-modules/passwd/sha2/README{,.sha2}
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2022-11-21 20:08

administrator   ~0001156

Thank you for the report.

Unfortunately we avoid making changes like this to the packages that Red Hat releases to maintain compatibility with their product and packages. CentOS 7 was the same way. In your example, you can see pw-sha2 being patched in (and a reference to a private bug in the change log), so this was done by Red Hat (not by CentOS). In 8, this isn't the case. It also seems the Fedora OpenLDAP package doesn't have it patched in either. It's likely this is because Red Hat does not directly support nor maintain the openldap-servers package.

You may or may not get a response from red hat if you file a bug at bugzilla.redhat.com.
Louis Abel

Louis Abel

2023-11-21 23:18

administrator   ~0005201

Closing ticket due to 8.9's pending release.

As stated in a previous comment, we cannot make changes to the build else we would begin to deviate from upstream. However, you have a few workarounds:

1) Migrate to openldap builds from ltb (https://ltb-project.org/)
2) Custom build the openldap package with the necessary changes you need
3) Use the CRYPT function

For number 3, it should be possible to use CRYPT to force openldap to use glibc's crypt capabilities as a passthrough. Essentially, you would need modify cn=config to have these attributes:

olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: $6$%.16s

Passwords then get stored as {CRYPT}$6$...$... which will look close to what you would see in /etc/shadow on a local system.

Issue History

Date Modified Username Field Change
2022-11-21 18:54 sylvain guyot New Issue
2022-11-21 20:08 Louis Abel Assigned To => Louis Abel
2022-11-21 20:08 Louis Abel Status new => acknowledged
2022-11-21 20:08 Louis Abel Note Added: 0001156
2023-11-21 23:18 Louis Abel Status acknowledged => closed
2023-11-21 23:18 Louis Abel Resolution open => won't fix
2023-11-21 23:18 Louis Abel Note Added: 0005201