On Fri, May 31, 2013 at 10:13:12AM -0700, Tim Gustafson wrote:
slapd.conf: line 82: substr index of attribute "userPassword" disallowed
And quite right too! You really don't want to make it any easier for an attacker to search for weak passwords.
Why is that? How can I do a search that would tell me which of my users is using an SHA-hashed password?
You don't need to modify the Slapd setup for that: just work with an LDIF backup of the data (e.g. from slapcat). Use grep to extract the userPassword attributes. You will then need a script to convert the values from Base-64 encoding to text, and a regular expression to extract the encoding scheme from the front of the text string.
That will let you count the number of users for each scheme. (e.g. using sort and uniq).
If you really want to know which users use which scheme then replace grep with an LDIF parser and extract both userPassword and uid at the same time. The LDIF parser will take care of the Base-64 for you as well.
You should be able to do the whole job in less than 20 lines of Perl or Python.
Andrew