Skip to content

Unable to configure hashing with the pw-pbkdf2 module #424

New issue
New issue
Open
Open
Unable to configure hashing with the pw-pbkdf2 module#424
@amuckart

Description

@amuckart
amuckart
opened on Jun 4, 2024

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.30.0
  • Ruby: 2.7.5
  • Distribution: Ubuntu 22.04
  • Module version: 7.0.2

How to reproduce (e.g Puppet code you use)

Configure PasswordHash to PBKDF2-SHA512

    openldap::server::module { 'pw-pbkdf2':
      ensure => present,
    }

    openldap::server::globalconf { 'PasswordHash':
      ensure => present,
      value  => { 'PasswordHash' => '{PBKDF2-SHA512}' },
    }

What are you seeing

This happens because of this OpenLDAP not-a-bug

Puppet run fails:

Error: Could not prefetch openldap_global_conf provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(objectClass=olcGlobal)' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})

The problem is that there doesn't seem to be any other way to set olcPasswordHash with this puppet module, or to specify the hashing agorithm for {CRYPT}.

What behaviour did you expect instead

  • It would be good if this limitation were documented in the module docs.
  • It would be better if the PBKDF-SHA512 config could be added to the frontend database configuration with this module.
  • The ability to set password-crypt-salt-format as per slapd.conf(5) to allow people to select which hashing method to use would also be good.

Output log

Info: Using environment 'my-org'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from my-org-prod-puppet7.my-org.org:8140 (XXX.XXX.XXX.XXX)
Notice: Catalog compiled by puppet.my-org.org
Info: Caching catalog for my-org-ldapserver.mgmt.my-org.org
Info: Applying configuration version '1717466906'
Error: Could not prefetch openldap_global_conf provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(objectClass=olcGlobal)' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})
olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
config error processing cn=config: <olcPasswordHash> no valid hashes found
slapcat: bad configuration file!
Warning: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Globalconf[TLSCertificate]/Openldap_global_conf[TLSCertificate]: Skipping because provider prefetch failed
Warning: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Globalconf[TLSCACertificateFile]/Openldap_global_conf[TLSCACertificateFile]: Skipping because provider prefetch failed
Error: Could not prefetch openldap_database provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(|(olcDatabase=monitor)(olcDatabase={0}config)(&(objectClass=olcDatabaseConfig)(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig)(objectClass=olcMdbConfig)(objectClass=olcMonitorConfig)(objectClass=olcRelayConfig)(objectClass=olcLDAPConfig))))' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})
olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
config error processing cn=config: <olcPasswordHash> no valid hashes found
slapcat: bad configuration file!
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Database[dc=org-mgmt,dc=my-org,dc=org]/Openldap_database[dc=porwal-oob-mgmt,dc=my-org,dc=org]: Skipping because provider prefetch failed
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Globalconf[LocalSSF]/Openldap_global_conf[LocalSSF]: Skipping because provider prefetch failed
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Globalconf[Security]/Openldap_global_conf[Security]: Skipping because provider prefetch failed
Error: Could not prefetch openldap_module provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(objectClass=olcModuleList)' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})
olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
config error processing cn=config: <olcPasswordHash> no valid hashes found
slapcat: bad configuration file!
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Module[pw-pbkdf2]/Openldap_module[pw-pbkdf2]: Skipping because provider prefetch failed
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Globalconf[PasswordHash]/Openldap_global_conf[PasswordHash]: Skipping because provider prefetch failed
Notice: Applied catalog in 14.09 seconds

Any additional information you'd like to impart

Not sure if this is technically a bug, or a feature request.

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions