In slapd.conf:
- moduleload pw-pbkdf2.so
+ moduleload pw-pbkdf2.so [iterations]
+
+Iterations defaults to 10000.
You can also tell OpenLDAP to use the schemes when processing LDAP
Password Modify Extended Operations, thanks to the password-hash
#define PBKDF2_SHA512_DK_SIZE 64
#define PBKDF2_MAX_DK_SIZE 64
+static int pbkdf2_iteration = PBKDF2_ITERATION;
+
const struct berval pbkdf2_scheme = BER_BVC("{PBKDF2}");
const struct berval pbkdf2_sha1_scheme = BER_BVC("{PBKDF2-SHA1}");
const struct berval pbkdf2_sha256_scheme = BER_BVC("{PBKDF2-SHA256}");
struct berval salt;
unsigned char dk_value[PBKDF2_MAX_DK_SIZE];
struct berval dk;
- int iteration = PBKDF2_ITERATION;
+ int iteration = pbkdf2_iteration;
int rc;
#ifdef HAVE_OPENSSL
const EVP_MD *md;
int init_module(int argc, char *argv[]) {
int rc;
+
+ if (argc == 2) {
+ int iter = atoi(argv[1]);
+ if (iter > 0)
+ pbkdf2_iteration = iter;
+ else
+ return -1;
+ }
rc = lutil_passwd_add((struct berval *)&pbkdf2_scheme,
pbkdf2_check, pbkdf2_encrypt);
if(rc) return rc;
.RS
.LP
.B moduleload
-.B pw-pbkdf2
+.B pw-pbkdf2 [iterations]
.RE
.SH DESCRIPTION
.LP
.SH CONFIGURATION
The
.B pw-pbkdf2
-module does not need any configuration.
+module does not need any configuration. If the optional
+.B iterations
+parameter is not specified, it defaults to 10000.
.LP
After loading the module, the password schemes
{PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, and {PBKDF2-SHA512}
projects / thirdparty / openldap.git / commitdiff
