Add support for setting the password crypt format

Change default password to CRYPT-SHA-256 for security

Signed-off-by: Mistial Developer <admin@mistial.dev>

bitnami/openldap/2.5/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh

@@ -73,7 +73,8 @@ export LDAP_REQUIRE_TLS="${LDAP_REQUIRE_TLS:-no}"
 export LDAP_ULIMIT_NOFILES="${LDAP_ULIMIT_NOFILES:-1024}"
 export LDAP_ALLOW_ANON_BINDING="${LDAP_ALLOW_ANON_BINDING:-yes}"
 export LDAP_LOGLEVEL="${LDAP_LOGLEVEL:-256}"
-export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{SSHA\}}"
+export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{CRYPT\}}"
+export LDAP_PASSWORD_CRYPT_SALT_FORMAT="${LDAP_PASSWORD_CRYPT_SALT_FORMAT:-\$5\$%.16s}"
 export LDAP_CONFIGURE_PPOLICY="${LDAP_CONFIGURE_PPOLICY:-no}"
 export LDAP_PPOLICY_USE_LOCKOUT="${LDAP_PPOLICY_USE_LOCKOUT:-no}"
 export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-no}"
@@ -633,9 +634,7 @@ ldap_initialize() {
             ldap_add_custom_schemas
         fi
         # additional configuration
-        if [[ ! "$LDAP_PASSWORD_HASH" == "{SSHA}" ]]; then
-            ldap_configure_password_hash
-        fi
+        ldap_configure_password_hash
         if is_boolean_yes "$LDAP_CONFIGURE_PPOLICY"; then
             ldap_configure_ppolicy
         fi
@@ -835,10 +834,20 @@ EOF
 ldap_configure_password_hash() {
     info "Configuring LDAP olcPasswordHash"
     cat > "${LDAP_SHARE_DIR}/password_hash.ldif" << EOF
+#
+# Password Hash Configuration
+#
 dn: olcDatabase={-1}frontend,cn=config
 changetype: modify
 add: olcPasswordHash
 olcPasswordHash: $LDAP_PASSWORD_HASH
+
+#
+# Password Crypt Salt Format
+#
+dn: cn=config
+add: olcPasswordCryptSaltFormat
+olcPasswordCryptSaltFormat: $LDAP_PASSWORD_CRYPT_SALT_FORMAT
 EOF
     debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/password_hash.ldif"
 }

bitnami/openldap/2.6/debian-12/rootfs/opt/bitnami/scripts/libopenldap.sh

@@ -73,7 +73,8 @@ export LDAP_REQUIRE_TLS="${LDAP_REQUIRE_TLS:-no}"
 export LDAP_ULIMIT_NOFILES="${LDAP_ULIMIT_NOFILES:-1024}"
 export LDAP_ALLOW_ANON_BINDING="${LDAP_ALLOW_ANON_BINDING:-yes}"
 export LDAP_LOGLEVEL="${LDAP_LOGLEVEL:-256}"
-export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{SSHA\}}"
+export LDAP_PASSWORD_HASH="${LDAP_PASSWORD_HASH:-{CRYPT\}}"
+export LDAP_PASSWORD_CRYPT_SALT_FORMAT="${LDAP_PASSWORD_CRYPT_SALT_FORMAT:-\$5\$%.16s}"
 export LDAP_CONFIGURE_PPOLICY="${LDAP_CONFIGURE_PPOLICY:-no}"
 export LDAP_PPOLICY_USE_LOCKOUT="${LDAP_PPOLICY_USE_LOCKOUT:-no}"
 export LDAP_PPOLICY_HASH_CLEARTEXT="${LDAP_PPOLICY_HASH_CLEARTEXT:-no}"
@@ -633,9 +634,7 @@ ldap_initialize() {
             ldap_add_custom_schemas
         fi
         # additional configuration
-        if [[ ! "$LDAP_PASSWORD_HASH" == "{SSHA}" ]]; then
-            ldap_configure_password_hash
-        fi
+        ldap_configure_password_hash
         if is_boolean_yes "$LDAP_CONFIGURE_PPOLICY"; then
             ldap_configure_ppolicy
         fi
@@ -835,10 +834,20 @@ EOF
 ldap_configure_password_hash() {
     info "Configuring LDAP olcPasswordHash"
     cat > "${LDAP_SHARE_DIR}/password_hash.ldif" << EOF
+#
+# Password Hash Configuration
+#
 dn: olcDatabase={-1}frontend,cn=config
 changetype: modify
 add: olcPasswordHash
 olcPasswordHash: $LDAP_PASSWORD_HASH
+
+#
+# Password Crypt Salt Format
+#
+dn: cn=config
+add: olcPasswordCryptSaltFormat
+olcPasswordCryptSaltFormat: $LDAP_PASSWORD_CRYPT_SALT_FORMAT
 EOF
     debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/password_hash.ldif"
 }

bitnami/openldap/2.6/debian-12/tags-info.yaml

@@ -1,5 +1,5 @@
 rolling-tags:
 - "2.6"
 - 2.6-debian-12
-- 2.6.8
+- 2.6.9
 - latest

bitnami/openldap/README.md

@@ -190,7 +190,8 @@ The Bitnami Docker OpenLDAP can be easily setup with the following environment v
 * `LDAP_ULIMIT_NOFILES`: Maximum number of open file descriptors. Default: **1024**.
 * `LDAP_ALLOW_ANON_BINDING`: Allow anonymous bindings to the LDAP server. Default: **yes**.
 * `LDAP_LOGLEVEL`: Set the loglevel for the OpenLDAP server (see <https://www.openldap.org/doc/admin26/slapdconfig.html> for possible values). Default: **256**.
-* `LDAP_PASSWORD_HASH`: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: **{SSHA}**.
+* `LDAP_PASSWORD_HASH`: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: **{CRYPT}**.
+* `LDAP_PASSWORD_CRYPT_SALT_FORMAT`: When using the {CRYPT} hash, specifies the format of the salt. Default: **$5$%.16s%s** (SHA-256).
 * `LDAP_CONFIGURE_PPOLICY`: Enables the ppolicy module and creates an empty configuration. Default: **no**.
 * `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
 * `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.