Hi!
Using OpenLDAP 2.5 from SLES15 SP6 I added "olcPasswordHash: sha256" ("olcPasswordHash: {sha256}") to cn=config (I wanted to add it to the {-1}frontend database, but slapd refused. I was able to set {SHA256} RootPWs, but now when I try slapcat, I get an error saying:
slapcat -n0 olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({SSHA256}) olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found config error processing cn=config: <olcPasswordHash> no valid hashes found slapcat: bad configuration file!
For slapppasswd I can use option "-o module-load=pw-sha2", but slapcat does not have it: # slapcat -o module-load=pw-sha2 -n0 usage: slapcat [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]] [-c] [-g] [-n databasenumber | -b suffix] [-l ldiffile] [-a filter] [-s subtree] [-H url]
Is it my error, or slapcat's?
Regards, Ulrich
--On Tuesday, April 22, 2025 2:07 PM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi!
Using OpenLDAP 2.5 from SLES15 SP6 I added "olcPasswordHash: sha256" ("olcPasswordHash: {sha256}") to cn=config (I wanted to add it to the {-1}frontend database, but slapd refused.
I was able to set {SHA256} RootPWs, but now when I try slapcat, I get an error saying:
Is it my error, or slapcat's?
If you didn't add pw-sha2 as a moduleload to the server configuration, then it would be your error, and based on the output, that appears to be the case. I would additionally note that it's a very bad idea to use SHA256, SSHA256 would be significantly better since then it is salted.
--Quanah
Quanah,
You are right about SHA256: Somehow the extra "S" seems to got loast during my experiments 😉
Anyway I found the problem, and it might reveal another bug in the OpenLDAP server I am using: When adding olcPasswordHash to olcDatabase={-1}frontend,cn=config had failed, I simply added it to cn=config (where it succeeded). However the correct fix was to add the missing "objectClass: olcFrontendConfig" to olcDatabase={-1}frontend,cn=config, and then add the " olcPasswordHash: {SSHA256}" to olcDatabase={-1}frontend,cn=config. Then salpcat also does not complain.
I thought I'll write this for others.
Why slapd allowed to add the attribute to cn=config II cannot explain, sorry. The frontend database missing olcFrontendConfig had never been a problem so far. Unfortunately ldapmodify resuses to add the missing objectclass; only slapmodify would do.
ldap_modify: Server is unwilling to perform (53) additional info: objectclass modification disallowed
Kind regards, Ulrich Windl
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Tuesday, April 22, 2025 5:44 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: [EXT] Re: slapcat compains "scheme not available" after using "olcPasswordHash: sha256"
--On Tuesday, April 22, 2025 2:07 PM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi!
Using OpenLDAP 2.5 from SLES15 SP6 I added "olcPasswordHash: sha256" ("olcPasswordHash: {sha256}") to cn=config (I wanted to add it to the {-1}frontend database, but slapd refused.
I was able to set {SHA256} RootPWs, but now when I try slapcat, I get an error saying:
Is it my error, or slapcat's?
If you didn't add pw-sha2 as a moduleload to the server configuration, then it would be your error, and based on the output, that appears to be the case. I would additionally note that it's a very bad idea to use SHA256, SSHA256 would be significantly better since then it is salted.
--Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Windl, Ulrich