slappasswd(8)
SLAPPASSWD(8C) OpenLDAP 2.1.12 SLAPPASSWD(8C)
NAME
slappasswd - OpenLDAP password utility
SYNOPSIS
/usr/bin/slappasswd [-v] [-u] [-s secret] [-h hash] [-c
salt-format]
DESCRIPTION
Slappasswd is used to generate an userPassword value
suitable for use with ldapmodify(1) or slapd.conf(5) rootpw
configuration directive.
OPTIONS
-v enable verbose mode.
-u Generate RFC 2307 userPassword values (the default).
Future versions of this program may generate
alternative syntaxes by default. This option is
provided for forward compatibility.
-s secret
The secret to hash. If not provided, the user will be
prompted for the secret to hash.
-h scheme
If -h is specified, one of the following RFC 2307
schemes may be specified: {CRYPT}, {MD5}, {SMD5},
{SSHA}, and {SHA}. The default is {SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to userPassword as clear text.
-c crypt-salt-format
Specify the format of the salt passed to crypt(3) when
generating {CRYPT} passwords. This string needs to be
in sprintf(3) format and may include one (and only one)
%s conversion. This conversion will be substituted
with a string random characters from [A-Za-z0-9./].
For example, "%.2s" provides a two character salt and
"$1$%.8s" tells some versions of crypt(3) to use an MD5
algorithm and provides 8 random characters of salt.
The default is "%s", which provides 31 characters of
salt.
Page 1 (printed 1/20/103)
SLAPPASSWD(8C) OpenLDAP 2.1.12 SLAPPASSWD(8C)
LIMITATIONS
The practice storing hashed passwords in userPassword
violates Standard Track (RFC 2256) schema specifications and
may hinder interoperability. A new attribute type,
authPassword, to hold hashed passwords has been defined (RFC
3112), but is not yet implemented in slapd(8).
SECURITY CONSIDERATIONS
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
should be inplace before using LDAP simple bind. The hashed
password values should be protected as if they were clear
text passwords.
SEE ALSO
ldappasswd(1), ldapmodify(1), slapd(8) slapd.conf(5) RFC
2307 RFC 2256 RFC 3112
"OpenLDAP Administrator's Guide"
(http://www.OpenLDAP.org/doc/admin/)
ACKNOWLEDGEMENTS
OpenLDAP is developed and maintained by The OpenLDAP Project
(http://www.openldap.org/). OpenLDAP is derived from
University of Michigan LDAP 3.3 Release.
Page 2 (printed 1/20/103)
Man(1) output converted with
man2html