NAME

       slapd-pw-pbkdf2 - PBKDF2 password module to slapd

SYNOPSIS

       ETCDIR/slapd.conf

              moduleload pw-pbkdf2 [iterations]

DESCRIPTION

       The  pw-pbkdf2  module  to  slapd(8)  provides  support for the use of the key stretching function PBKDF2
       (Password-Based Key Derivation Function 2) following RFC 2898 in hashed passwords in OpenLDAP.

       It does so by providing the following additional password schemes for use in slapd:

              {PBKDF2}
                     alias to {PBKDF2-SHA1}

              {PBKDF2-SHA1}
                     PBKDF2 using HMAC-SHA-1 as the underlying pseudorandom function

              {PBKDF2-SHA256}
                     PBKDF2 using HMAC-SHA-256 as the underlying pseudorandom function

              {PBKDF2-SHA512}
                     PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function

CONFIGURATION

       The pw-pbkdf2 module does not need any  configuration.  If  the  optional  iterations  parameter  is  not
       specified, it defaults to 10000.

       After   loading   the   module,  the  password  schemes  {PBKDF2},  {PBKDF2-SHA1},  {PBKDF2-SHA256},  and
       {PBKDF2-SHA512} will be recognised in values of the userPassword attribute.

       You can then instruct OpenLDAP to use these schemes when processing the LDAPv3 Password Modify (RFC 3062)
       extended operations by using the password-hash option in slapd.conf(5).

NOTES

       If you want to use the schemes described here with slappasswd(8), remember to load the module  using  its
       command line options.  The relevant option/value is:

              -o module-load=pw-pbkdf2

       Depending on pw-pbkdf2's location, you may also need:

              -o module-path=pathspec

EXAMPLES

       All of the userPassword LDAP attributes below encode the password 'secret'.

       userPassword: {PBKDF2-SHA512}10000$/oQ4xZi382mk7kvCd3ZdkA$2wqjpuyV2l0U/a1QwoQPOtlQL.UcJGNACj1O24balruqQb/NgPW6OCvvrrJP8.SzA3/5iYvLnwWPzeX8IK/bEQ

       userPassword: {PBKDF2-SHA256}10000$jq40ImWtmpTE.aYDYV1GfQ$mpiL4ui02ACmYOAnCjp/MI1gQk50xLbZ54RZneU0fCg

       userPassword: {PBKDF2-SHA1}10000$QJTEclnXgh9Cz3ChCWpdAg$9.s98jwFJM.NXJK9ca/oJ5AyoAQ

       To  make  {PBKDF2-SHA512}  the password hash used in Password Modify extended operations, simply set this
       line in slapd.conf(5):

       password-hash   {PBKDF2-SHA512}

SEE ALSO

       slapd.conf(5), ldappasswd(1), slappasswd(8), ldap(3),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS

       This manual page has been written by Peter Marschall based on the module's README file written by  HAMANO
       Tsukasa <hamano@osstech.co.jp>

       OpenLDAP  is  developed  and  maintained by The OpenLDAP Project (http://www.openldap.org/).  OpenLDAP is
       derived from University of Michigan LDAP 3.3 Release.

OpenLDAP LDVERSION                                 RELEASEDATE                                SLAPD-PW-PBKDF2(5)