This is what I use. I'm not sure this is the highest possible security but it did fix the "ignore anything over 8 characters" issue.
password-hash {CRYPT} password-crypt-salt-format "$6$%.12s"
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder Sent: Friday, May 15, 2015 5:08 AM To: Quanah Gibson-Mount; openldap-technical@openldap.org Subject: Re: Openldap password problems
Quanah Gibson-Mount wrote:
Setting the default to {CRYPT} is a security nightmare,
Such a general statement is non-sense without taking a closer look at which crypt scheme is really used.
Consult your local crypt(3) man page to see whether crypt schemes like "$6$" or "$2b$" are supported on your system which are definitely stronger than simple {SSHA}. Then use password-crypt-salt-format to make use of such a crypt scheme.
Ciao, Michael.