Onno van der Straaten wrote:
Second corruption in one day. Trying to add module using ldif
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap/ olcModuleLoad: slapd-sha2.so
As it was not working correctly I tried to remove this module. This is not implemented!!! You can delete a module once it is added.
I created a backup file of this config file. When manual edit failed, I moved the backup file back in. This is the result [user@server cn=config]# service slapd configtest Checking configuration files for slapd: [FAILED] 54758693 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif" slaptest: bad configuration file!
Most likely you're working as root and slapd is running as non-root user. If you manually modified back-config's files you should check ownership/permissions.
I know I can use other directory servers. But I also think that the OpenLDAP community should not claim to offer good encryption of password when out-of-the-bot you get NO encryption and you have to first become an OpenLDAP core developer to get this good encryption.
Personally I currently would not use slapd-sha2.so because SHA-2 hashes are optimizied for performance.
You could use a stronger {CRYPT} schema (not the default!).
E.g. I have in slapd.conf (static config):
password-hash {CRYPT} password-crypt-salt-format "$6$%.12s"
Make sure you understand crypt hash schemes in man-page crypt(3). The caveat is that {CRYPT} is not really platform-independent.
Ciao, Michael.