Michael Ströder wrote:
> Why should X user ever need to run this tool to generate a value?
Slappasswd is used to generate an userPassword value suitable
for use with ldapmodify(1), slapd.conf(5) rootpw configuration
directive or the slapd-config(5) olcRootPW configuration directive.
Do you want to restrict this text regarding ldapmodify(1) only for the cases
that the slappasswd user has also write access to back-config?
We could probably delete that ldapmodify(1) reference. Technically it has
always been wrong, since there's never been any guarantee that an LDAP user's
password was ever stored in any user-accessible attribute.
Of course your are the OpenLDAP boss. You can change everything to
work for you. But it breaks existing operational procedures for other people.
The text also states
The practice of storing hashed passwords in userPassword violates
Standard Track (RFC 4519) schema specifications and may hinder
Anyone building operational procedures on something that violates the specs
was asking for trouble. Users should be using ldappasswd, that's what it's for.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/