SLAPPASSWD(8) | System Manager's Manual | SLAPPASSWD(8) |
slappasswd - OpenLDAP password utility
/usr/sbin/slappasswd [-v] [-u] [-g|-s secret|-T file] [-h hash] [-c salt-format] [-n] [-o option[=value]]
Slappasswd is used to generate an userPassword value suitable for use with ldapmodify(1), slapd.conf(5) rootpw configuration directive or the slapd-config(5) olcRootPW configuration directive.
Note that scheme names may need to be protected, due to { and }, from expansion by the user's command interpreter.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Unless {CLEARTEXT} is used, this flag is incompatible with option -g.
module-path=<pathspec> (see `modulepath' in slapd.conf(5))
module-load=<filename> (see `moduleload' in slapd.conf(5))
You can load a dynamically loadable password hash module by using this option.
The practice of storing hashed passwords in userPassword violates Standard Track (RFC 4519) schema specifications and may hinder interoperability. A new attribute type, authPassword, to hold hashed passwords has been defined (RFC 3112), but is not yet implemented in slapd(8).
It should also be noted that the behavior of crypt(3) is platform specific.
Use of hashed passwords does not protect passwords during protocol transfer. TLS or other eavesdropping protections should be in-place before using LDAP simple bind.
The hashed password values should be protected as if they were clear text passwords.
ldappasswd(1), ldapmodify(1), slapd(8), slapd.conf(5), slapd-config(5), RFC 2307, RFC 4519, RFC 3112
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from the University of Michigan LDAP 3.3 Release.
2018/12/19 | OpenLDAP |