Manpage of SLAPPASSWD

SLAPPASSWD

Section: Maintenance Commands (8C)
Updated: 2005/04/28
Index Return to Main Contents

NAME

slappasswd - OpenLDAP password utility

SYNOPSIS

/usr/sbin/slappasswd [-v] [-u] [-s secret|-T file] [-h hash] [-c salt-format]

DESCRIPTION

Slappasswd is used to generate an userPassword value suitable for use with ldapmodify(1) or slapd.conf(5) rootpw configuration directive.

OPTIONS

-v

enable verbose mode.

-u

Generate RFC 2307 userPassword values (the default). Future versions of this program may generate alternative syntaxes by default. This option is provided for forward compatibility.

-s secret

The secret to hash. If this and -T are absent, the user will be prompted for the secret to hash. -s and -T and mutually exclusive flags.

-T file

Hash the contents of the file. If this and -s are absent, the user will be prompted for the secret to hash. -s and -T and mutually exclusive flags.

-h scheme

If -h is specified, one of the following RFC 2307 schemes may be specified: {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}.

Note that scheme names may need to be protected, due to { and }, from expansion by the user's command interpreter.

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.

{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.

{CRYPT} uses the crypt(3).

{CLEARTEXT} indicates that the new password should be added to userPassword as clear text.

-c crypt-salt-format

Specify the format of the salt passed to crypt(3) when generating {CRYPT} passwords. This string needs to be in sprintf(3) format and may include one (and only one) %s conversion. This conversion will be substituted with a string random characters from [A-Za-z0-9./]. For example, '%.2s' provides a two character salt and '$1$%.8s' tells some versions of crypt(3) to use an MD5 algorithm and provides 8 random characters of salt. The default is '%s', which provides 31 characters of salt.

LIMITATIONS

The practice storing hashed passwords in userPassword violates Standard Track (RFC 2256) schema specifications and may hinder interoperability. A new attribute type, authPassword, to hold hashed passwords has been defined (RFC 3112), but is not yet implemented in slapd(8).

It should also be noted that the behavior of: crypt(3) is platform specific.

SECURITY CONSIDERATIONS

Use of hashed passwords does not protect passwords during protocol transfer. TLS or other eavesdropping protections should be in-place before using LDAP simple bind.

The hashed password values should be protected as if they: were clear text passwords.

ACKNOWLEDGEMENTS

OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OpenLDAP is derived from University of Michigan LDAP 3.3 Release.

This document was created by man2html, using the manual pages.
Time: 21:32:58 GMT, May 16, 2005