Full_Name: Quanah Gibson-Mount Version: 2.4.39 OS: Linux 3.11 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.58.125)
Global overlays (such as pw-sha2 from contrib) are unusable with cn=config. This is because the module is loaded after the bootstrap of cn=config.ldif.
I.e., add the module as loaded:
olcModuleLoad: {7}pw-sha2.la to dn: cn=module{0}, cn=config
In cn=config.ldif, set:
olcPasswordHash: {SSHA512}
As long as slapd is not restarted, this works, because the module gets loaded, and then the password hash gets set with the module loaded.
If you stop slapd and restart it, slapd will fail to load because it is loading cn=config.ldif with the olcPasswordHash set to something it doesn't recognize because it has not yet loaded the modules:
5306a920 >>> dnPrettyNormal: <cn=config> => ldap_bv2dn(cn=config,0) <= ldap_bv2dn(cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=config)=0 5306a920 <<< dnPrettyNormal: <cn=config>, <cn=config> 5306a920 >>> dnNormalize: <cn=config> => ldap_bv2dn(cn=config,0) <= ldap_bv2dn(cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=config)=0 5306a920 <<< dnNormalize: <cn=config> 5306a920 >>> dnNormalize: <cn=config> => ldap_bv2dn(cn=config,0) <= ldap_bv2dn(cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=config)=0 5306a920 <<< dnNormalize: <cn=config> 5306a920 <= str2entry(cn=config) -> 0x1dd8008 5306a920 => test_filter 5306a920 PRESENT 5306a920 => access_allowed: search access to "cn=config" "objectClass" requested 5306a920 <= root access granted 5306a920 => access_allowed: search access granted by manage(=mwrscxd) 5306a920 <= test_filter 6 5306a920 olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({SSHA512}) 5306a920 olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found 5306a920 config error processing cn=config: <olcPasswordHash> no valid hashes found 5306a920 send_ldap_result: conn=-1 op=0 p=0 5306a920 send_ldap_result: err=80 matched="" text="" 5306a920 slapd destroy: freeing system resources. 5306a920 slapd stopped. 5306a920 connections_destroy: nothing to destroy.