I've been messing with trying to get SHA512 password hash formats in openldap 2.4.39 under a 64-bit CentOS 6 distribution, using the LTB RPMs.
I have read the FAQ at http://www.openldap.org/faq/data/cache/1467.html
- The first entry describes a third-party module; I have been using that for years on a 32-bit CentOS 5 platform, using the vendor-provided openldap-2.3.43 RPMs.
My efforts to build that module for 2.4.39 seemed to build clean, but effort to bind as a user with a {SHA512} hashed password cause slapd to segfault.
I didn't try very hard to track that down, as there seem to be better supported techniques.
- The third entry describes a slapo-pw-sha2 overlay, but no LTB RPM provides the overlay. I tried exactly once to build this overlay, but that failed due to a configure failure. I blame me; I'll revisit this when I have the time.
However, I had some luck with the second entry, using {CRYPT}.
Following these instructions, I was able to create users, successfully bind, and even use ldappasswd to change the passwords:
http://www.openldap.org/lists/openldap-technical/201305/msg00002.html
But, when I generated a hashed password using suggestions like this:
http://serverfault.com/questions/330069/how-to-create-an-sha-512-hashed-pass...
# python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")' $6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10
and tried to embed this rootpw in my config file;
rootpw {CRYPT}$6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10
I would get bind errors.
Have I misunderstood how to use {CRYPT} for storing root's password?