-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/openldap] Add support for setting the password crypt format #70398
[bitnami/openldap] Add support for setting the password crypt format #70398
Conversation
I kept the automatic plaintext conversion disabled in the interest of compatibility. I could change that as well to make this more secure out of the box, or add a LDAP_HARDENED environment variable that sets some sensible security defaults, including adding ACLs. Unless you need something like MSCHAPv2 support (VPN for windows, mainly), it's a very good idea to have ACLs set which prohibit reading the contents of the userPassword attribute. If I were doing a hardened config, I'd also be tempted to limit anonymous binding and disable enumeration by users (permitting search by email or username), and adding an ou for service accounts that had full access. |
Hi, thank you very much for this PR, it looks like a very nice addition! I will run some manual tests on my side and I'll get back to you. Thanks again! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please check my comments? Thanks!
bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh
Show resolved
Hide resolved
export LDAP_ENCRYPTED_ADMIN_PASSWORD="$(echo -n $LDAP_ADMIN_PASSWORD | slappasswd -c '$5$%.16s' -n -T /dev/stdin)" | ||
export LDAP_ENCRYPTED_CONFIG_ADMIN_PASSWORD="$(echo -n $LDAP_CONFIG_ADMIN_PASSWORD | slappasswd -c '$5$%.16s' -n -T /dev/stdin)" | ||
export LDAP_ENCRYPTED_ACCESSLOG_ADMIN_PASSWORD="$(echo -n $LDAP_ACCESSLOG_ADMIN_PASSWORD | slappasswd -c '$5$%.16s' -n -T /dev/stdin)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If LDAP_PASSWORD_CRYPT_SALT_FORMAT
is configurable, should it be used here instead of hardcoding the value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach forced the use of the higher security default for the admin password. I could make it configurable, but it wouldn't force the higher security option for the admin password.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. I think it should be configurable. If users may need different formats for admin and the rest, maybe we can define a new env-var: LDAP_ADMIN_PASSWORD_CRYPT_SALT_FORMAT
. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. I think it should be configurable. If users may need different formats for admin and the rest, maybe we can define a new env-var:
LDAP_ADMIN_PASSWORD_CRYPT_SALT_FORMAT
. What do you think?
Added. Additionally, I changed the defaults to enable ppolicy and hash plaintext passwords by default.
It can be turned off easily enough, either through environment variables or ldapmodify after the fact. Sane defaults are better, and with Microsoft Active Directory using hashed passwords, there's precedent for not doing plaintext passwords. It also works fine for shadow support, and the use of CRYPT instead of something weird increases compatibility when used elsewhere.
Looking at them now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, could you please check my comment?
export LDAP_ENCRYPTED_ADMIN_PASSWORD="$(echo -n $LDAP_ADMIN_PASSWORD | slappasswd -c '$5$%.16s' -n -T /dev/stdin)" | ||
export LDAP_ENCRYPTED_CONFIG_ADMIN_PASSWORD="$(echo -n $LDAP_CONFIG_ADMIN_PASSWORD | slappasswd -c '$5$%.16s' -n -T /dev/stdin)" | ||
export LDAP_ENCRYPTED_ACCESSLOG_ADMIN_PASSWORD="$(echo -n $LDAP_ACCESSLOG_ADMIN_PASSWORD | slappasswd -c '$5$%.16s' -n -T /dev/stdin)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. I think it should be configurable. If users may need different formats for admin and the rest, maybe we can define a new env-var: LDAP_ADMIN_PASSWORD_CRYPT_SALT_FORMAT
. What do you think?
This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution. |
export LDAP_PPOLICY_USE_LOCKOUT="${LDAP_PPOLICY_USE_LOCKOUT:-no}" | ||
export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-no}" | ||
export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-yes}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applying this through the policy means that it's applied when necessary. It doesn't force a particular hashed format if non-plaintext passwords are applied.
export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{CRYPT\}}" | ||
export LDAP_PASSWORD_CRYPT_SALT_FORMAT="${LDAP_PASSWORD_CRYPT_SALT_FORMAT:-\$5\$%.16s}" | ||
export LDAP_ADMIN_PASSWORD_CRYPT_SALT_FORMAT="${LDAP_ADMIN_PASSWORD_CRYPT_SALT_FORMAT:-\$5\$%.16s}" | ||
export LDAP_CONFIGURE_PPOLICY="${LDAP_CONFIGURE_PPOLICY:-yes}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting this as the default ensures that password hashing is used even when the environment variables are used to pass credentials and no policy is set. Leaving plaintext passwords around is risky.
46f84e6
to
ca84e4c
Compare
@mistial-dev, just one minor thing, The DCO check failed. Please read https://github.com/bitnami/containers/pull/70398/checks?check_run_id=30415074724 to see how you can fix that. Thanks! |
…73007) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…tnami#73008) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…itnami#73009) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…73010) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…ami#73011) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…73012) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…tnami#73013) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…itnami#72646) [bitnami][clickhouse] Correct ClickHouse behavior when user adds custom init/start script Signed-off-by: Tin Trung Ngo <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…73014) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…bian-12-r0 (bitnami#73015) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…73019) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…itnami#73021) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…itnami#73022) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
…2-r7 (bitnami#73025) Signed-off-by: Bitnami Bot <[email protected]> Signed-off-by: Mistial Developer <[email protected]>
80d40ed
to
7ff7ae8
Compare
Hi @mistial-dev, Thanks for fixing the DCO issue. Can you rebase the main branch on your fork and fix the conflicts? |
This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution. |
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary. |
Description of the change
This patch adds the configuration option "LDAP_PASSWORD_CRYPT_SALT_FORMAT", allowing the crypt salt format to be set in the container environment variables.
Additionally, this patch changes the default for password encoding from SHA (which is now retired by NIST) to salted SHA-256 using crypt() (which defaults to 5,000 rounds). This change is also applied to administrative passwords (admin, config admin, accesslog admin).
Benefits
NIST recommends moving away from SHA-1 due to insecurity.
While it is possible to use a third party module for SHA-256 and SHA-512 from an atlassian employee, it is simpler and more compatible to use {CRYPT} support. This allows the number of rounds to be user-configured for increased attack resistance, allows the algorithm to be specified, and provides the hash in a way that other applications using compatible crypt() implementations can interoperate with.
This improves the default security posture while supporting existing configurations.
Possible drawbacks
Applications designed to work directly with hash values (for example, the SHA or MD5 hash) will not work unless they also have support for crypt passwords. The previous behaviour can be restored by setting LDAP_PASSWORD_HASH to "SSHA".
Note that applications that bind as a user with a simple password should be unaffected by this change. Only applications using the password hash directly may be affected.
Additional information
To take advantage of the new security defaults, LDAP_CONFIGURE_PPOLICY and LDAP_PPOLICY_HASH_CLEARTEXT should be set to yes. This will result in user passwords automatically being hashed, even if they are set in plaintext. This applies to users created through the LDAP_USERS and LDAP_PASSWORDS environment variables.