1SLAPPASSWD(8C)                                                  SLAPPASSWD(8C)
2
3
4

NAME

6       slappasswd - OpenLDAP password utility
7

SYNOPSIS

9       /usr/sbin/slappasswd  [-v] [-u] [-s secret|-T file] [-h hash] [-c salt-
10       format]
11

DESCRIPTION

13       Slappasswd is used to generate an userPassword value suitable  for  use
14       with ldapmodify(1) or slapd.conf(5) rootpw configuration directive.
15

OPTIONS

17       -v     enable verbose mode.
18
19       -u     Generate  RFC  2307  userPassword  values (the default).  Future
20              versions of this program may generate  alternative  syntaxes  by
21              default.  This option is provided for forward compatibility.
22
23       -s secret
24              The secret to hash.  If this and -T are absent, the user will be
25              prompted for the secret to hash.  -s and -T and mutually  exclu‐
26              sive flags.
27
28       -T file
29              Hash  the  contents of the file.  If this and -s are absent, the
30              user will be prompted for the secret to hash.   -s  and  -T  and
31              mutually exclusive flags.
32
33       -h scheme
34              If -h is specified, one of the following RFC 2307 schemes may be
35              specified: {CRYPT},  {MD5},  {SMD5},  {SSHA},  and  {SHA}.   The
36              default is {SSHA}.
37
38              Note that scheme names may need to be protected, due to { and },
39              from expansion by the user's command interpreter.
40
41              {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the  lat‐
42              ter with a seed.
43
44              {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
45              with a seed.
46
47              {CRYPT} uses the crypt(3).
48
49              {CLEARTEXT} indicates that the new password should be  added  to
50              userPassword as clear text.
51
52       -c crypt-salt-format
53              Specify  the format of the salt passed to crypt(3) when generat‐
54              ing {CRYPT} passwords.  This string needs to  be  in  sprintf(3)
55              format  and  may include one (and only one) %s conversion.  This
56              conversion will be substituted with a string  random  characters
57              from  [A-Za-z0-9./].  For example, '%.2s' provides a two charac‐
58              ter salt and '$1$%.8s' tells some versions of crypt(3) to use an
59              MD5  algorithm  and  provides  8 random characters of salt.  The
60              default is '%s', which provides 31 characters of salt.
61

LIMITATIONS

63       The practice storing hashed passwords in userPassword violates Standard
64       Track (RFC 2256) schema specifications and may hinder interoperability.
65       A new attribute type, authPassword, to hold hashed passwords  has  been
66       defined (RFC 3112), but is not yet implemented in slapd(8).
67
68       It should also be noted that the behavior of
69              crypt(3) is platform specific.
70

SECURITY CONSIDERATIONS

72       Use  of  hashed  passwords  does  not protect passwords during protocol
73       transfer.  TLS or other eavesdropping protections  should  be  in-place
74       before using LDAP simple bind.
75
76       The hashed password values should be protected as if they
77              were clear text passwords.
78

SEE ALSO

80       ldappasswd(1),  ldapmodify(1), slapd(8) slapd.conf(5) RFC 2307 RFC 2256
81       RFC 3112
82
83       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
84

ACKNOWLEDGEMENTS

86       OpenLDAP  is  developed  and  maintained  by   The   OpenLDAP   Project
87       (http://www.openldap.org/).   OpenLDAP  is  derived  from University of
88       Michigan LDAP 3.3 Release.
89
90
91
92OpenLDAP 2.3.34                    2007/2/16                    SLAPPASSWD(8C)
Impressum