10:50 a.m.
Hi all.
I'm trying to write a script to change the rootpw value in slapd.conf.
Before allowing the user to change the password, I'm asking that they
first verify the existing password.
My question has to do with the random salt. How do I verify the
existing password? Going through slappasswd doesn't appear to work,
since it uses a random salt each time. ie:
r52 ~ # slappasswd -s foo
{SSHA}OBe71ShE85Wd8PINTJzunxazszPWpon1
r52 ~ # slappasswd -s foo
{SSHA}OCK0lxJa+pfFqDfE39N3EZ8529IZIMhd
It doesn't appear from the man page for slappasswd that you can
specify the salt.
Furthermore, how does the server know what the salt is? (I read
through the FAQ on the website and it says the salt is added to the
password before encryption).
A little confused. Anything enlightening would be wonderful! Thanks much.
matt
1:38 a.m.
m h wrote:
I'm trying to write a script to change the rootpw value in slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need the
rootdn I would disable rootpw in slapd.conf and add a real entry for
rootdn for which you can set the userPassword attribute.
My question has to do with the random salt. How do I verify the
existing password?
Going through slappasswd doesn't appear to work,
since it uses a random salt each time.
Yes, slappasswd is for generating not checking password values.
Furthermore, how does the server know what the salt is?
Since you know how long the particular hash value is everything else is
the salt.
(I read through the FAQ on the website and it says the salt is added
to the password before encryption).
The salt is randomly chosen and hashed (not encrypted) together with the
password.
Anyway I'd recommend not to mess with slapd.conf at all (see above).
Ciao, Michael.
5:28 p.m.
> I'm trying to write a script to change the rootpw value in
> slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need
the
rootdn I would disable rootpw in slapd.conf and add a real entry for
rootdn for which you can set the userPassword attribute.
Or use the dynamic config stuff to similarly change it on the fly
through ldapmodifies to stuff under cn=config.
Or if you really want slapd.conf style rootpw setting, try doing it
like the tests do now. (You may need to pull from CVS.) Several of
the overlays that are dynamically configurable generate a rootdn/
rootpw in a separate file called configpw.conf. (and keep a copy of
the plaintext, obviously...) This file is then used as part of the
main slapd.conf by the magic of the include directive. e.g. from
openldap/tests/data/slapd-translucent-local.conf:
database config
include "configpw.conf"
This could just as easily be used for any other database, or any
other configurable parameters you want your script to read and change
without understanding the full complexity of slapd.conf.
> My question has to do with the random salt. How do I verify the
> existing password?
We do not currently have a standalone tool providing that
functionality, but what you are looking for is in liblutil.
> Going through slappasswd doesn't appear to work,
> since it uses a random salt each time.
Yes, slappasswd is for generating not checking password values.
> Furthermore, how does the server know what the salt is?
Since you know how long the particular hash value is everything
else is
the salt.
In other words you need to look up the standard for how that hash
works and where the salt goes. Probably a better idea to use the
hash/check functions within lutil, or rely on slapd to do it for you.
Matthew Backes
Symas Corporation
mbackes(a)symas.com
lucca(a)accela.net
1:33 p.m.
On 1/26/07, Michael Ströder <michael(a)stroeder.com> wrote:
m h wrote:
>
> I'm trying to write a script to change the rootpw value in slapd.conf.
Why? Parsing slapd.conf yourself is error-prone. If you really need the
rootdn I would disable rootpw in slapd.conf and add a real entry for
rootdn for which you can set the userPassword attribute.
Thanks to all for their responses. I should use the existing tools to
update the password instead of parsing slapd.conf. In order to do so,
I need to move the rootdn/rootpw into the database. So my next
question is how to migrate the rootdn from slapd.conf into the
database? Seems like a chicken and egg problem.
(Perhaps I'm not searching for the right terms on google. The example
from 7.1 here [1], shows what appears to be a rootdn entry (dn:
cn=Manager,dc=example,dc=com), but I can't set the userPasswd because
it is not a person.)
thanks
matt
1 - http://www.openldap.org/doc/admin22/dbtools.html
1:15 a.m.
m h wrote:
So my next
question is how to migrate the rootdn from slapd.conf into the
database? Seems like a chicken and egg problem.
You set rootdn and rootpw in slapd.conf. Then you create the base DIT
(entry for suffix) and a real entry for the rootdn. After that you
remove the rootpw from slapd.conf. You can set the userPassword
attribute via LDAP then.
(Perhaps I'm not searching for the right terms on google. The
example
from 7.1 here [1], shows what appears to be a rootdn entry (dn:
cn=Manager,dc=example,dc=com), but I can't set the userPasswd because
it is not a person.)
You mean this example from the 2.2 Admin Guide?
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
Seems to be a documentation bug. Add AUXILIARY object class
simpleSecurityObject to the entry:
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: Manager
description: Directory Manager
userPassword: secret
Ciao, Michael.
5094
days inactive
5109
days old
openldap-software@openldap.org
4 comments
3 participants
participants (3)
-
m h -
Matthew Backes -
Michael Ströder