LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

openldap-server: enable crypt(3) passwords 

With crypt(3) password storage scheme enabled, OpenLDAP can receive and
store SHA-256 and SHA-512 password hashes from Samba AD-DC. Without
crypt(3), synchronization of passwords between Samba AD-DC (v4.5 and
above) and OpenLDAP requires use of cleartext passwords.

To use password hashes from Samba, OpenLDAP must be compiled with
--enable-crypt switch. This patch introduces a new configuration
parameter to enable the use of crypt(3) function by OpenLDAP.

Enabling crypt(3) increases the size of slapd binary by 12 bytes on
the x86_64 target and by only 4 bytes on the ipq806x target.

Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
lilik-openwrt-22.03
Val Kulkov 6 years ago
parent
1acacbbf6c
commit
e3d246d610
1 changed files with 27 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +27
    -1
      libs/openldap/Makefile

+ 27
- 1
libs/openldap/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openldap
PKG_VERSION:=2.4.47
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=https://gpl.savoirfairelinux.net/pub/mirrors/openldap/openldap-release/ \
@ -24,6 +24,7 @@ PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS := \
CONFIG_OPENLDAP_DEBUG \
CONFIG_OPENLDAP_CRYPT \
CONFIG_OPENLDAP_MONITOR \
CONFIG_OPENLDAP_DB47 \
CONFIG_OPENLDAP_ICU
@ -53,6 +54,25 @@ define Package/libopenldap/config
help
Enable debugging information. This option must be enabled
for the loglevel directive to work.
config OPENLDAP_CRYPT
bool "Crypt(3) passwords support"
default n
help
With crypt(3) password storage scheme enabled, OpenLDAP can
receive and store SHA-256 and SHA-512 password hashes from
Samba AD-DC. If this option is disabled, synchronization of
passwords between Samba AD-DC (v4.5 and above) and OpenLDAP
requires use of cleartext passwords.
To enable crypt(3) password synchronization functionality:
1. Re-include crypt(3) support in OpenWRT by enabling 'Include
crypt() support for SHA256, SHA512 and Blowfish ciphers' option
in "Advanced configuration options (for developers)" ->
"Toolchain Options".
2. Provision AD-DC with 'password hash userPassword schemes'
option. For more information, see smb.conf manpage for details
on 'password hash userPassword schemes'.
3. Use a script to synchronize passwords from AD-DC to
OpenLDAP. See samba-tool manpage for 'user syncpasswords'.
config OPENLDAP_MONITOR
bool "Enable monitor backend"
default n
@ -121,6 +141,12 @@ CONFIGURE_ARGS += \
--disable-relay
ifdef CONFIG_OPENLDAP_CRYPT
CONFIGURE_ARGS+= --enable-crypt
else
CONFIGURE_ARGS+= --disable-crypt
endif
ifdef CONFIG_OPENLDAP_MONITOR
CONFIGURE_ARGS+= --enable-monitor
else


Write Preview
Loading…
Cancel
Save