On 09/03/15 10:54 -0700, Chuck Theobald wrote:
I am finding it impossible to set user passwords to the form {SASL}name@ad.domain.my
ldapmodify can delete userPassword, and can add it again but ends of setting it to a hash despite trying password-hash {CLEARTEXT} and password-hash {SASL} in slapd.conf. And no, I am not using slapd.d.
By hash, I assume you mean base64 encoding, which is how ldapsearch displays contents of userPassword when retrieved. uudecode the contents to see the actual data.
Here's a simple perl script I use:
#!/usr/bin/perl
use MIME::Base64;
print decode_base64($ARGV[0]); print "\n";
If you are actually retrieving a crypt(3) style hash, verify you are not running ldapmodify with an extention (-E) and that you are not doing something strange with an overlay.
password-hash should only come into play when performing an ldap password extended operation, such as with ldappasswd.
Every post I find taunts me with things like "oh, set the userpassword to {SASL}blah@blah.com and it will Just Work". This simple step eludes me. I am seriously missing some thing quit easy.