Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes

Tuesday, 29 May 2012

Michael Ströder wrote:
...
 hyc(a)symas.com wrote:
> Why should X user ever need to run this tool to generate a value?

>From slappasswd(8):

 DESCRIPTION
         Slappasswd is used to generate an userPassword value suitable
         for use with ldapmodify(1), slapd.conf(5) rootpw configuration
         directive or the slapd-config(5) olcRootPW configuration directive.

 Do you want to restrict this text regarding ldapmodify(1) only for the cases
 that the slappasswd user has also write access to back-config? 
We could probably delete that ldapmodify(1) reference. Technically it has 
always been wrong, since there's never been any guarantee that an LDAP user's 
password was ever stored in any user-accessible attribute.

...
 Of course your are the OpenLDAP boss. You can change everything to
make it
 work for you. But it breaks existing operational procedures for other people. 
The text also states
	The practice of storing hashed passwords in userPassword violates
	Standard Track (RFC 4519) schema specifications and may hinder
	interoperability.

Anyone building operational procedures on something that violates the specs 
was asking for trouble. Users should be using ldappasswd, that's what it's for.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006