Brandon McCombs writes:
The question is how does a person choose to use a salt or not use a salt if they have no control over what the salt is?
If he uses the Password Modify extended operation, slapd will hash the password for him, with the hash method specified by password-hash in slapd.conf.
If he wants to control exactly how some password is hashed, he can generate the hashed password himself (with the appropriate {hashmethod} prefix) and use the LDAP Add or Modify operation to store it in attribute userPassword. As the slapd.conf(5) man page says (under password-hash).
What determines whether a salt is applied?
For Password Modify: A salt is generated if the specified method needs a salt.
If a salt is specified on the conf file
*a* salt? With the password-crypt-salt-format keyword? You do not intend to use a salted method only to reduce security by using the same salt for everyone, I hope.
then it applies to everyone and no one can choose *not* to use it, is that correct?
Not if they use Password Modify. If they use Modify, the can use something else.