containers
containers copied to clipboard
bitnami
[bitnami/openldap] Add support for setting the password crypt format
Description of the change
This patch adds the configuration option "LDAP_PASSWORD_CRYPT_SALT_FORMAT", allowing the crypt salt format to be set in the container environment variables.
Additionally, this patch changes the default for password encoding from SHA (which is now retired by NIST) to salted SHA-256 using crypt() (which defaults to 5,000 rounds). This change is also applied to administrative passwords (admin, config admin, accesslog admin).
Benefits
NIST recommends moving away from SHA-1 due to insecurity.
The SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life, according to security experts at the National Institute of Standards and Technology (NIST). The agency is now recommending that IT professionals replace SHA-1, in the limited situations where it is still used, with newer algorithms that are more secure.
While it is possible to use a third party module for SHA-256 and SHA-512 from an atlassian employee, it is simpler and more compatible to use {CRYPT} support. This allows the number of rounds to be user-configured for increased attack resistance, allows the algorithm to be specified, and provides the hash in a way that other applications using compatible crypt() implementations can interoperate with.
This improves the default security posture while supporting existing configurations.
Possible drawbacks
Applications designed to work directly with hash values (for example, the SHA or MD5 hash) will not work unless they also have support for crypt passwords. The previous behaviour can be restored by setting LDAP_PASSWORD_HASH to "SSHA".
Note that applications that bind as a user with a simple password should be unaffected by this change. Only applications using the password hash directly may be affected.
Additional information
To take advantage of the new security defaults, LDAP_CONFIGURE_PPOLICY and LDAP_PPOLICY_HASH_CLEARTEXT should be set to yes. This will result in user passwords automatically being hashed, even if they are set in plaintext. This applies to users created through the LDAP_USERS and LDAP_PASSWORDS environment variables.
