logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

slappasswd - OpenLDAP password utility

Contents

Acknowledgements

OpenLDAPSoftware is  developed  and  maintained  by  The  OpenLDAP  Project  <http://www.openldap.org/>.
       OpenLDAPSoftware is derived from the University of Michigan LDAP 3.3 Release.

OpenLDAP 2.6.9+dfsg-2ubuntu1                       2024/11/26                                      SLAPPASSWD(8)

Description

Slappasswd  is  used to generate an userPassword value suitable for use with ldapmodify(1), slapd.conf(5)
       rootpw configuration directive or the slapd-config(5) olcRootPW configuration directive.

Limitations

       The  practice  of  storing  hashed  passwords  in  userPassword violates Standard Track (RFC 4519) schema
       specifications and may hinder interoperability.  A new  attribute  type,  authPassword,  to  hold  hashed
       passwords has been defined (RFC 3112), but is not yet implemented in slapd(8).

       It should also be noted that the behavior of crypt(3) is platform specific.

Name

       slappasswd - OpenLDAP password utility

Options

-v     enable verbose mode.

       -u     Generate RFC 2307 userPassword values (the default).  Future versions of this program may generate
              alternative syntaxes by default.  This option is provided for forward compatibility.

       -ssecret
              The secret to hash.  If this, -g and -T are absent, the user will be prompted for  the  secret  to
              hash.  -s, -g and -T are mutually exclusive flags.

       -g     Generate  the  secret.  If this, -s and -T are absent, the user will be prompted for the secret to
              hash.  -s, -g and -T are mutually exclusive flags.  If this is present,  {CLEARTEXT}  is  used  as
              scheme.  -g and -h are mutually exclusive flags.

       -T"file"
              Hash  the  contents of the file.  If this, -g and -s are absent, the user will be prompted for the
              secret to hash.  -s, -g and -T and mutually exclusive flags.

       -h"scheme"
              If -h is specified, one of the following RFC  2307  schemes  may  be  specified:  {CRYPT},  {MD5},
              {SMD5}, {SSHA}, and {SHA}.  The default is {SSHA}.

              Note  that  scheme  names  may  need to be protected, due to { and }, from expansion by the user's
              command interpreter.

              {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.

              {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.

              {CRYPT} uses the crypt(3).

              {CLEARTEXT} indicates that the new password should be added to userPassword as clear text.  Unless
              {CLEARTEXT} is used, this flag is incompatible with option -g.

       -ccrypt-salt-format
              Specify the format of the salt passed to crypt(3) when generating {CRYPT} passwords.  This  string
              needs  to  be  in  sprintf(3)  format  and  may  include  one  (and only one) %s conversion.  This
              conversion will be substituted with  a  string  of  random  characters  from  [A-Za-z0-9./].   For
              example, '%.2s' provides a two character salt and '$1$%.8s' tells some versions of crypt(3) to use
              an MD5 algorithm and provides 8 random characters of salt.  The default is '%s', which provides 31
              characters of salt.

       -n     Omit the trailing newline; useful to pipe the credentials into a command.

       -ooption[=value]
              Specify an option with a(n optional) value.  Possible generic options/values are:

                     module-path=<pathspec> (see `modulepath' in slapd.conf(5))
                     module-load="<filename> [<arguments>...]" (see `moduleload' in slapd.conf(5))

              You can load a dynamically loadable password hash module by
              using this option.

Security Considerations

       Use  of hashed passwords does not protect passwords during protocol transfer.  TLS or other eavesdropping
       protections should be in-place before using LDAP simple bind.

       The hashed password values should be protected as if they were clear text passwords.

See Also

ldappasswd(1), ldapmodify(1), slapd(8), slapd.conf(5), slapd-config(5), RFC2307, RFC4519, RFC3112

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

Synopsis

/usr/sbin/slappasswd [-v] [-u] [-g|-ssecret|-Tfile] [-hhash] [-csalt-format] [-n] [-ooption[=value]]

See Also

Man Pages
slapd Man Pages
Man Pages
crypt Man Pages
Hash
Hash PNG Icons
Man Pages
ber_memalloc, ber_memcalloc, ber_memrealloc, ber_memfree, ber_memvfree Man Pages
Passwords
Passwords PNG Icons
Man Pages
secret Man Pages
Man Pages
sampasswd Man Pages
Password
Password PNG Icons
Salt
Salt PNG Icons
← View System admin Category← Back to Network service daemons🙏  Credits & Acknowledgments