Quanah,
You are right about SHA256: Somehow the extra "S" seems to got loast during my experiments 😉
Anyway I found the problem, and it might reveal another bug in the OpenLDAP server I am using: When adding olcPasswordHash to olcDatabase={-1}frontend,cn=config had failed, I simply added it to cn=config (where it succeeded). However the correct fix was to add the missing "objectClass: olcFrontendConfig" to olcDatabase={-1}frontend,cn=config, and then add the " olcPasswordHash: {SSHA256}" to olcDatabase={-1}frontend,cn=config. Then salpcat also does not complain.
I thought I'll write this for others.
Why slapd allowed to add the attribute to cn=config II cannot explain, sorry. The frontend database missing olcFrontendConfig had never been a problem so far. Unfortunately ldapmodify resuses to add the missing objectclass; only slapmodify would do.
ldap_modify: Server is unwilling to perform (53) additional info: objectclass modification disallowed
Kind regards, Ulrich Windl
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Tuesday, April 22, 2025 5:44 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: [EXT] Re: slapcat compains "scheme not available" after using "olcPasswordHash: sha256"
--On Tuesday, April 22, 2025 2:07 PM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi!
Using OpenLDAP 2.5 from SLES15 SP6 I added "olcPasswordHash: sha256" ("olcPasswordHash: {sha256}") to cn=config (I wanted to add it to the {-1}frontend database, but slapd refused.
I was able to set {SHA256} RootPWs, but now when I try slapcat, I get an error saying:
Is it my error, or slapcat's?
If you didn't add pw-sha2 as a moduleload to the server configuration, then it would be your error, and based on the output, that appears to be the case. I would additionally note that it's a very bad idea to use SHA256, SSHA256 would be significantly better since then it is salted.
--Quanah