NAME

       slapd-pw-pbkdf2 - PBKDF2 password module to slapd

SYNOPSIS

       ETCDIR/slapd.conf

              moduleload pw-pbkdf2

DESCRIPTION

       The  pw-pbkdf2  module  to  slapd(8)  provides  support for the use of the key stretching function PBKDF2
       (Password-Based Key Derivation Function 2) following RFC 2898 in hashed passwords in OpenLDAP.

       It does so by providing the following additional password schemes for use in slapd:

              {PBKDF2}
                     alias to {PBKDF2-SHA1}

              {PBKDF2-SHA1}
                     PBKDF2 using HMAC-SHA-1 as the underlying pseudorandom function

              {PBKDF2-SHA256}
                     PBKDF2 using HMAC-SHA-256 as the underlying pseudorandom function

              {PBKDF2-SHA512}
                     PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function

CONFIGURATION

       The pw-pbkdf2 module does not need any configuration.

       After  loading  the  module,  the  password  schemes  {PBKDF2},   {PBKDF2-SHA1},   {PBKDF2-SHA256},   and
       {PBKDF2-SHA512} will be recognised in values of the userPassword attribute.

       You can then instruct OpenLDAP to use these schemes when processing the LDAPv3 Password Modify (RFC 3062)
       extended operations by using the password-hash option in slapd.conf(5).

NOTES

       If  you  want to use the schemes described here with slappasswd(8), remember to load the module using its
       command line options.  The relevant option/value is:

              -o module-load=pw-pbkdf2

       Depending on pw-pbkdf2's location, you may also need:

              -o module-path=pathspec

EXAMPLES

       All of the userPassword LDAP attributes below encode the password 'secret'.

       userPassword: {PBKDF2-SHA512}10000$/oQ4xZi382mk7kvCd3ZdkA$2wqjpuyV2l0U/a1QwoQPOtlQL.UcJGNACj1O24balruqQb/NgPW6OCvvrrJP8.SzA3/5iYvLnwWPzeX8IK/bEQ

       userPassword: {PBKDF2-SHA256}10000$jq40ImWtmpTE.aYDYV1GfQ$mpiL4ui02ACmYOAnCjp/MI1gQk50xLbZ54RZneU0fCg

       userPassword: {PBKDF2-SHA1}10000$QJTEclnXgh9Cz3ChCWpdAg$9.s98jwFJM.NXJK9ca/oJ5AyoAQ

       To make {PBKDF2-SHA512} the password hash used in Password Modify extended operations,  simply  set  this
       line in slapd.conf(5):

       password-hash   {PBKDF2-SHA512}

SEE ALSO

       slapd.conf(5), ldappasswd(1), slappasswd(8), ldap(3),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS

       This  manual page has been written by Peter Marschall based on the module's README file written by HAMANO
       Tsukasa <hamano@osstech.co.jp>

       OpenLDAP is developed and maintained by The OpenLDAP  Project  (http://www.openldap.org/).   OpenLDAP  is
       derived from University of Michigan LDAP 3.3 Release.

OpenLDAP LDVERSION                                 RELEASEDATE                                SLAPD-PW-PBKDF2(5)