How to Implement Argon2 Hash on OpenLdap?

Question

Argon2 is a password hashing algorithm that was selected as the winner of the Password Hashing Competition in July 2015. It is a secure and efficient algorithm that is resistant to brute-force attacks.

I am currently using OpenLdap v2.5 packaged as bitnami/openldap image to store user information, including passwords. I would like to implement Argon2 to hash passwords so that I can help to protect them from being compromised.

Specifically, I need to know:

• How to install the argon2 module on OpenLdap ?
• How to configure OpenLdap to use Argon2 for password hashing ?
• How to test my configuration to make sure that it is working correctly ?

Answer 1

To implement Argon2 Hash on OpenLDAP, you can do the following steps:

1. Add Argon2 as OpenLdap hash module & allowed method
2. Create/Modify userpassword with Argon2
3. Verify user authentication

1 - Add Argon2 as OpenLdap hash module & allowed method

Modify LDAP config in order to load Argon2

ldapmodify -H -Y EXTERNAL ldapi:/// -f modules.ldif

with modules.ldif:

# Load Argon2 module
dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
# Adapt the olcModulePath below depending on your OS or your packaged openldap
olcModulePath: /opt/bitnami/openldap/libexec/openldap/
olcModuleLoad: argon2.so

# Tell that Argon2 is an allowed hash method
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {ARGON2}

2 - Create/Modify userpassword with Argon2

Generate a hashed password with Argon2 module

slappasswd -o module-load=argon2.so -h {ARGON2} -s "mypassword"

It should return something like : {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$G+lDOYm0ra9Gl/e/gZ+FZw$HlePGPXj2ghUZfznIvKvzgRZaEXm0/4YVWttmztakgM

Then, modify an existing user password:

ldapmodify -x -H ldapi:/// -D "cn=admin,dc=example,dc=com" -w "adminPassword" -x -f changeUserPassword.ldif

with changeUserPassword.ldif:

dn: cn=JohnDoe,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$G+lDOYm0ra9Gl/e/gZ+FZw$HlePGPXj2ghUZfznIvKvzgRZaEXm0/4YVWttmztakgM

3 - Verify user authentication

Now, verify that the user can be authenticated with his new hashed password:

ldapwhoami -x -H ldapi:/// -D  "cn=JohnDoe,ou=users,dc=example,dc=com" -w "mypassword"

If ìt is ok, it should return the DN : dn:cn=JohnDoe,,ou=users,dc=example,dc=com

I hope this helps! Let me know if you have any other questions.