Since pbkdf2 (Password-Based Key Derivation Function 2) is a more secure hash function, so I wonder if current openldap implementation support pbkdf2 (pbkdf2_sha256 for example)?
I have found some information on google about pbkdf2 support in openldap, but I do not sure which openldap version it applies or I do not do it the right way:
I have build a openldap server with version 2.4.28 on ubuntu 12.04 and use python lib to generate a PBKDF2-SHA256 hashed password. Then I put this PBKDF2-SHA256 password into a new ldap user's userPassword field as follow:
userPassword: '{PBKDF2-SHA256}10000$LBwTpUPGqxdH$8pDqhAruY94IhhuCZLost471pGImy//wH0pS25LO/YI='
This did not work. No error reported in ldap log but still can not login with the original plain-text password.
I would greatly appreciate it if someone could kindly give me some comment or direction!!
Best Answer
Currently, OpenLDAP PBKDF2 module only support PBKDF2-SHA1. The schema name is {PBKDF2}. Probably, it have compatibility with Python Passlib. I have roadmap for PBKDF2-SHA256 and PBKDF2-SHA512. but not implemented yet.
EDIT: Now supported PBKDF2-SHA256 and PBKDF2-SHA512. https://github.com/hamano/openldap-pbkdf2