I actually read the manpage this time on password-crypt-salt-format but still have some questions. It seems that only one salt format can be specified at a time but I'm wondering about the salt itself. A user can never specify what the salt string will be since the 2nd paragraph of that setting's description states the conversion will be substituted with a string of random characters, is that correct? And after reading the crypt(3) manpage it seems that the salt only applies to {CRYPT} passwords so that means it won't work (or be used) for SHA passwords (making them SSHA). Is that correct? I would guess it isn't correct based on the next paragraph.
The manpage states the default hash is SSHA (although I recently found out that on Debian with OpenLDAP 2.2.30 cleartext is the default) so I guess the salts do work with SHA to make SSHA passwords. If that is the case how does one have control over whether a salted or unsalted password is created if programmatically modifying a password by using the LDAP password extension or some other API? Is it a matter of either having salted or unsalted passwords (but not both at the same time) depending on whether the password-crypt-salt-format setting is configured?
One last question, if a salt is used with MD5 for example, is the password's hash prefixed with {SMD5} or is {MD5} still used?
All these hashes are confusing so I'm trying to get things clear in my head.
thanks