enterprise-support team mailing list archive

[Filippo <2125685@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

On Ubuntu 24.04, the OpenLDAP package ships with the library /usr/lib/ldap/pw-pbkdf2.so.
While this module works for generating PBKDF2-SHA512 password hashes, it does not provide an option to configure the number of iterations.

For example:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}

generates a hash with a fixed iteration count (e.g. 10000) and does not
accept parameters to increase it.

In contrast, the upstream contrib module passwd/pbkdf2 on
https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-
modules/passwd/pbkdf2

supports the iteration count option and allows administrators to
configure it.

moduleload pw-pbkdf2.so [iterations]

Steps to reproduce:

Install OpenLDAP on Ubuntu 24.04. (slapd and slapd-contrib pakages)
Run
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$ZvU8GRSybbefW48n8BeyuA$XE1t4W09ZP0z8zmLVb/SbwaOl2Y

Expected behavior:
The pw-pbkdf2.so module should support configuration of the iteration count, as provided in the upstream passwd/pbkdf2 contrib module.

Actual behavior:
Iteration count is hardcoded (default: 10000), and cannot be changed.

Impact:
Without the ability to configure the iteration count, it is not possible to meet current security best practices or achieve compliance with FIPS 140-3, which requires configurable and sufficiently high iteration counts for PBKDF2.

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2125685

Title:
  pbkdf2 module not make iterations configurable and FIPS 140-3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2125685/+subscriptions