openldap service not starting when using ARGON2 password scheme

Question

The ARGON2 password scheme is working successfully, but whenever I start/restart slapd it fails to recognize ARGON2 scheme.

Output of journalctl -xeu slapd.service:

Jun 23 17:21:53 mail slapd[3932159]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({ARGON2})
Jun 23 17:21:53 mail slapd[3932159]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
Jun 23 17:21:53 mail slapd[3932159]: config error processing cn=config: <olcPasswordHash> no valid hashes found
Jun 23 17:21:53 mail slapd[3932159]: DIGEST-MD5 common mech free
Jun 23 17:21:53 mail slapd[3932159]: DIGEST-MD5 common mech free
Jun 23 17:21:53 mail slapd[3932159]: slapd stopped.
Jun 23 17:21:53 mail slapd[3932159]: connections_destroy: nothing to destroy.
Jun 23 17:21:53 mail slapd[3932153]:    ...fail!
Jun 23 17:21:53 mail systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE

If I change the password scheme to SSHA, then I can start the slapd server. Then while slapd is running I can switch from SSHA to ARGON2, and it works fine - ARGON2 password hashes are being created.

Why does slapd say ARGON2 scheme not available?

Answer 1

The error message "ARGON2 scheme not available" indicates that the ARGON2 password hash is not enabled in your OpenLDAP configuration. To enable the ARGON2 you need to ensure that:

• 1. The hash module (Argon2) is loaded
• 2. The hash method (Argon2) is allowed (to store a new password)

The following is for OpenLdap >= v2.4.

1 - Verify hash module is loaded

Search for your config module:

ldapsearch -H ldapi:/// -b "cn=module{0},cn=config"

If there is no module, add the module:

ldapmodify -H ldapi:/// -f modules.ldif

where modules.ldif is :

dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
# Adapt the olcModulePath below depending on your OS or your packaged openldap
olcModulePath: opt/src/openldap-2.5.4/servers/slapd/pwmods/argon2.la
olcModuleLoad: argon2.la

Note: for openldap/bitnami image, the olcModule config is :

olcModulePath: /opt/bitnami/openldap/lib/openldap/
olcModuleLoad: argon2.so

2 - Verify hash method is allowed

Search for your config :

ldapsearch -H ldapi:/// -b "olcDatabase={-1}frontend,cn=config"

If there is no olcPasswordHash directive, update the config :

ldapmodify -H ldapi:/// -f olcPasswordHash.ldif

where olcPasswordHash.ldif is:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {ARGON2}

I hope this helps! Let me know if you have any other questions.

Best regards,