Hi all.
I'm trying to write a script to change the rootpw value in slapd.conf. Before allowing the user to change the password, I'm asking that they first verify the existing password.
My question has to do with the random salt. How do I verify the existing password? Going through slappasswd doesn't appear to work, since it uses a random salt each time. ie:
r52 ~ # slappasswd -s foo {SSHA}OBe71ShE85Wd8PINTJzunxazszPWpon1 r52 ~ # slappasswd -s foo {SSHA}OCK0lxJa+pfFqDfE39N3EZ8529IZIMhd
It doesn't appear from the man page for slappasswd that you can specify the salt.
Furthermore, how does the server know what the salt is? (I read through the FAQ on the website and it says the salt is added to the password before encryption).
A little confused. Anything enlightening would be wonderful! Thanks much.
matt
m h wrote:
I'm trying to write a script to change the rootpw value in slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need the rootdn I would disable rootpw in slapd.conf and add a real entry for rootdn for which you can set the userPassword attribute.
My question has to do with the random salt. How do I verify the existing password?
Going through slappasswd doesn't appear to work, since it uses a random salt each time.
Yes, slappasswd is for generating not checking password values.
Furthermore, how does the server know what the salt is?
Since you know how long the particular hash value is everything else is the salt.
(I read through the FAQ on the website and it says the salt is added to the password before encryption).
The salt is randomly chosen and hashed (not encrypted) together with the password.
Anyway I'd recommend not to mess with slapd.conf at all (see above).
Ciao, Michael.
I'm trying to write a script to change the rootpw value in slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need the rootdn I would disable rootpw in slapd.conf and add a real entry for rootdn for which you can set the userPassword attribute.
Or use the dynamic config stuff to similarly change it on the fly through ldapmodifies to stuff under cn=config.
Or if you really want slapd.conf style rootpw setting, try doing it like the tests do now. (You may need to pull from CVS.) Several of the overlays that are dynamically configurable generate a rootdn/ rootpw in a separate file called configpw.conf. (and keep a copy of the plaintext, obviously...) This file is then used as part of the main slapd.conf by the magic of the include directive. e.g. from openldap/tests/data/slapd-translucent-local.conf:
database config include "configpw.conf"
This could just as easily be used for any other database, or any other configurable parameters you want your script to read and change without understanding the full complexity of slapd.conf.
My question has to do with the random salt. How do I verify the existing password?
We do not currently have a standalone tool providing that functionality, but what you are looking for is in liblutil.
Going through slappasswd doesn't appear to work, since it uses a random salt each time.
Yes, slappasswd is for generating not checking password values.
Furthermore, how does the server know what the salt is?
Since you know how long the particular hash value is everything else is the salt.
In other words you need to look up the standard for how that hash works and where the salt goes. Probably a better idea to use the hash/check functions within lutil, or rely on slapd to do it for you.
Matthew Backes Symas Corporation mbackes@symas.com lucca@accela.net
On 1/26/07, Michael Ströder michael@stroeder.com wrote:
m h wrote:
I'm trying to write a script to change the rootpw value in slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need the rootdn I would disable rootpw in slapd.conf and add a real entry for rootdn for which you can set the userPassword attribute.
Thanks to all for their responses. I should use the existing tools to update the password instead of parsing slapd.conf. In order to do so, I need to move the rootdn/rootpw into the database. So my next question is how to migrate the rootdn from slapd.conf into the database? Seems like a chicken and egg problem.
(Perhaps I'm not searching for the right terms on google. The example from 7.1 here [1], shows what appears to be a rootdn entry (dn: cn=Manager,dc=example,dc=com), but I can't set the userPasswd because it is not a person.)
thanks
matt
m h wrote:
So my next question is how to migrate the rootdn from slapd.conf into the database? Seems like a chicken and egg problem.
You set rootdn and rootpw in slapd.conf. Then you create the base DIT (entry for suffix) and a real entry for the rootdn. After that you remove the rootpw from slapd.conf. You can set the userPassword attribute via LDAP then.
(Perhaps I'm not searching for the right terms on google. The example from 7.1 here [1], shows what appears to be a rootdn entry (dn: cn=Manager,dc=example,dc=com), but I can't set the userPasswd because it is not a person.)
You mean this example from the 2.2 Admin Guide?
# Organizational Role for Directory Manager dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager
Seems to be a documentation bug. Add AUXILIARY object class simpleSecurityObject to the entry:
# Organizational Role for Directory Manager dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: Manager description: Directory Manager userPassword: secret
Ciao, Michael.
openldap-software@openldap.org
-
m h -
Matthew Backes -
Michael Ströder