I'd argue that slappassword shouldn't read the configuration
and hence not
support 'contributed' hash mechanisms.
Which means if SHA-2 stays in a separate overlay contrib/ there won't be
practically usable SHA-2 support in OpenLDAP. I consider it falling behind
other LDAP server implementations.
But if you are going to make slappassword read the configuration,
needs to be restricted to only users who have read access to the
I have no real opinion about whether SHA-2 should or shouldn't be
core set of hashes... but personally I rather push folks towards SCRAM
compatible hashes than the same poor usages of newer hash algorithms.
I concur that SCRAM would be the best choice.
But IMO adding SHA-2 support to the core does not hold anybody back from
developing/deploying SCRAM. In reality getting completely rid of simple bind
in favour of SASL bind no matter which SASL mech is nothing done so easily
with all the applications out in the wild.
And last time I checked SCRAM support in cyrus-sasl required clear-text
password in userPassword. So this is outside the OpenLDAP project, isn't it?