Supports SHA2 password (voxpupuli#195)

* support sha2 password * added sha-2 password related example * Corrected regex which was missing in the previous commit * removed the SSHA* related conditional logic
antoine-roux · May 24, 2017 · e861eb0 · e861eb0
1 parent 36b8a38
commit e861eb0
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -126,6 +126,15 @@ openldap::server::database { 'dc=example,dc=com':
 
 `rootpw` will be automatically converted to a SSHA hash with random salt.
 
+Support SHA-2 password
+```puppet
+openldap::server::database { 'dc=example,dc=com':
+  directory => '/var/lib/ldap',
+  rootdn    => 'cn=admin,dc=example,dc=com',
+  rootpw    => '{SHA384}QZdaK3FnibbilSPbthnf3cO8lBWsRyM9i1MZTUFP21RdBSLSNFgYc2eFFzJG/amX',
+}
+```
+
 ###Configuring modules
 
 ```puppet

diff --git a/lib/puppet/type/openldap_database.rb b/lib/puppet/type/openldap_database.rb
@@ -65,7 +65,7 @@
     desc "Password (or hash of the password) for the rootdn."
 
     def insync?(is)
-      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA)\}.+/
+      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA(256|384|512)?)\}.+/
         should == is
       else
         case is
@@ -83,6 +83,18 @@ def insync?(is)
           "{SSHA}" + Base64.encode64("#{Digest::SHA1.digest("#{should}#{salt}")}#{salt}").chomp == is
         when /^\{SHA\}.+/
           "{SHA}" + Digest::SHA1.hexdigest(should) == is
+        when /^\{(SHA(256|384|512))\}/
+          matches = is.match("^\{(SHA[\\d]{,3})\}")
+          raise ArgumentError, "Invalid password format: #{is}" if matches.nil?
+          crypto = matches[1]
+          case crypto
+          when 'SHA256'
+            '{SHA256}' + Digest::SHA256.hexdigest(should) == is
+          when 'SHA384'
+            '{SHA384}' + Digest::SHA384.hexdigest(should) == is
+          when 'SHA512'
+            '{SHA512}' + Digest::SHA512.hexdigest(should) == is
+          end
         else
           false
         end
@@ -92,7 +104,7 @@ def insync?(is)
     def sync
       require 'securerandom'
       salt = SecureRandom.random_bytes(4)
-      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA)\}.+/
+      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA(256|384|512)?)\}.+/
         @resource[:rootpw] = should
       else
         @resource[:rootpw] = "{SSHA}" + Base64.encode64("#{Digest::SHA1.digest("#{should}#{salt}")}#{salt}").chomp