Michael Ströder wrote:
hyc@symas.com wrote:
Why should X user ever need to run this tool to generate a value?
From slappasswd(8):
DESCRIPTION Slappasswd is used to generate an userPassword value suitable for use with ldapmodify(1), slapd.conf(5) rootpw configuration directive or the slapd-config(5) olcRootPW configuration directive.
Do you want to restrict this text regarding ldapmodify(1) only for the cases that the slappasswd user has also write access to back-config?
We could probably delete that ldapmodify(1) reference. Technically it has always been wrong, since there's never been any guarantee that an LDAP user's password was ever stored in any user-accessible attribute.
Of course your are the OpenLDAP boss. You can change everything to make it work for you. But it breaks existing operational procedures for other people.
The text also states The practice of storing hashed passwords in userPassword violates Standard Track (RFC 4519) schema specifications and may hinder interoperability.
Anyone building operational procedures on something that violates the specs was asking for trouble. Users should be using ldappasswd, that's what it's for.
-
hyc@symas.com