Reputation: 11
openldap service not starting when using ARGON2 password scheme
The ARGON2 password scheme is working successfully, but whenever I start/restart slapd it fails to recognize ARGON2 scheme.
Output of journalctl -xeu slapd.service:
Jun 23 17:21:53 mail slapd[3932159]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({ARGON2})
Jun 23 17:21:53 mail slapd[3932159]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
Jun 23 17:21:53 mail slapd[3932159]: config error processing cn=config: <olcPasswordHash> no valid hashes found
Jun 23 17:21:53 mail slapd[3932159]: DIGEST-MD5 common mech free
Jun 23 17:21:53 mail slapd[3932159]: DIGEST-MD5 common mech free
Jun 23 17:21:53 mail slapd[3932159]: slapd stopped.
Jun 23 17:21:53 mail slapd[3932159]: connections_destroy: nothing to destroy.
Jun 23 17:21:53 mail slapd[3932153]: ...fail!
Jun 23 17:21:53 mail systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE
If I change the password scheme to SSHA, then I can start the slapd server. Then while slapd is running I can switch from SSHA to ARGON2, and it works fine - ARGON2 password hashes are being created.
Why does slapd say ARGON2 scheme not available?
Upvotes: 1
Views: 379
Answers (1)
Reputation: 2410
The error message "ARGON2 scheme not available" indicates that the ARGON2 password hash is not enabled in your OpenLDAP configuration. To enable the ARGON2 you need to ensure that:
-
- The hash module (Argon2) is loaded
-
- The hash method (Argon2) is allowed (to store a new password)
The following is for OpenLdap >= v2.4.
1 - Verify hash module is loaded
Search for your config module:
ldapsearch -H ldapi:/// -b "cn=module{0},cn=config"
If there is no module, add the module:
ldapmodify -H ldapi:/// -f modules.ldif
where modules.ldif is :
dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
# Adapt the olcModulePath below depending on your OS or your packaged openldap
olcModulePath: opt/src/openldap-2.5.4/servers/slapd/pwmods/argon2.la
olcModuleLoad: argon2.la
Note: for openldap/bitnami image, the olcModule config is :
olcModulePath: /opt/bitnami/openldap/lib/openldap/
olcModuleLoad: argon2.so
2 - Verify hash method is allowed
Search for your config :
ldapsearch -H ldapi:/// -b "olcDatabase={-1}frontend,cn=config"
If there is no olcPasswordHash directive, update the config :
ldapmodify -H ldapi:/// -f olcPasswordHash.ldif
where olcPasswordHash.ldif is:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {ARGON2}
I hope this helps! Let me know if you have any other questions.
Best regards,
Upvotes: 2
Related Questions
- Query openldap password policy
- OpenLDAP Won't Set Encyrpted Password: attribute 'userPassword' is not present in entry
- Testing user password expiration with openldap
- Grails OpenLDAP login failed: Sorry, we were not able to find a user with that username and password
- Openldap support for sha256 and sha512 password format
- OpenLDAP - Get Password Attributes
- Liferay and user password during the export into OpenLDAP
- Openldap supportedControl Password Policy
- openldap and root password