> I'm trying to write a script to change the rootpw value in
> slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need
the
rootdn I would disable rootpw in slapd.conf and add a real entry for
rootdn for which you can set the userPassword attribute.
Or use the dynamic config stuff to similarly change it on the fly
through ldapmodifies to stuff under cn=config.
Or if you really want slapd.conf style rootpw setting, try doing it
like the tests do now. (You may need to pull from CVS.) Several of
the overlays that are dynamically configurable generate a rootdn/
rootpw in a separate file called configpw.conf. (and keep a copy of
the plaintext, obviously...) This file is then used as part of the
main slapd.conf by the magic of the include directive. e.g. from
openldap/tests/data/slapd-translucent-local.conf:
database config
include "configpw.conf"
This could just as easily be used for any other database, or any
other configurable parameters you want your script to read and change
without understanding the full complexity of slapd.conf.
> My question has to do with the random salt. How do I verify the
> existing password?
We do not currently have a standalone tool providing that
functionality, but what you are looking for is in liblutil.
> Going through slappasswd doesn't appear to work,
> since it uses a random salt each time.
Yes, slappasswd is for generating not checking password values.
> Furthermore, how does the server know what the salt is?
Since you know how long the particular hash value is everything
else is
the salt.
In other words you need to look up the standard for how that hash
works and where the salt goes. Probably a better idea to use the
hash/check functions within lutil, or rely on slapd to do it for you.
Matthew Backes
Symas Corporation
mbackes(a)symas.com
lucca(a)accela.net