Kurt@OpenLDAP.org wrote:

I'd argue that slappassword shouldn't read the configuration and hence not support 'contributed' hash mechanisms.

Which means if SHA-2 stays in a separate overlay contrib/ there won't be practically usable SHA-2 support in OpenLDAP. I consider it falling behind other LDAP server implementations.

But if you are going to make slappassword read the configuration, then it needs to be restricted to only users who have read access to the configuration.

Yes.

I have no real opinion about whether SHA-2 should or shouldn't be in the core set of hashes... but personally I rather push folks towards SCRAM compatible hashes than the same poor usages of newer hash algorithms.

I concur that SCRAM would be the best choice.

But IMO adding SHA-2 support to the core does not hold anybody back from developing/deploying SCRAM. In reality getting completely rid of simple bind in favour of SASL bind no matter which SASL mech is nothing done so easily with all the applications out in the wild.

And last time I checked SCRAM support in cyrus-sasl required clear-text password in userPassword. So this is outside the OpenLDAP project, isn't it?

Ciao, Michael.