.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP$
-.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
.SH NAME
slappasswd \- OpenLDAP password utility
.SH SYNOPSIS
.B SBINDIR/slappasswd
.B [\-v]
.B [\-u]
-.B [\-s secret]
+.B [\-g|\-s secret|\-T file]
.B [\-h hash]
.B [\-c salt-format]
+.B [\-n]
.B
.LP
.SH DESCRIPTION
.B Slappasswd
is used to generate an userPassword value
suitable for use with
-.BR ldapmodify (1)
-or
+.BR ldapmodify (1),
.BR slapd.conf (5)
.I rootpw
+configuration directive or the
+.BR slapd-config (5)
+.I olcRootPW
configuration directive.
+.
.SH OPTIONS
.TP
.B \-v
by default. This option is provided for forward compatibility.
.TP
.BI \-s " secret"
-The secret to hash. If not provided, the user will be prompted
-for the secret to hash.
+The secret to hash.
+If this,
+.B \-g
+and
+.B \-T
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+and mutually exclusive flags.
+.TP
+.BI \-g
+Generate the secret.
+If this,
+.B \-s
+and
+.B \-T
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+and mutually exclusive flags.
+If this is present,
+.I {CLEARTEXT}
+is used as scheme.
+.B \-g
+and
+.B \-h
+are mutually exclusive flags.
+.TP
+.BI \-T " file"
+Hash the contents of the file.
+If this,
+.B \-g
+and
+.B \-s
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+and mutually exclusive flags.
.TP
.BI \-h " scheme"
If -h is specified, one of the following RFC 2307 schemes may
The default is
.IR {SSHA} .
+Note that scheme names may need to be protected, due to
+.B {
+and
+.BR } ,
+from expansion by the user's command interpreter.
+
.B {SHA}
and
.B {SSHA}
.B {CLEARTEXT}
indicates that the new password should be added to userPassword as
clear text.
+Unless
+.I {CLEARTEXT}
+is used, this flag is incompatible with
+.BR \-g .
.TP
.BI \-c " crypt-salt-format"
Specify the format of the salt passed to
.BR sprintf (3)
format and may include one (and only one) %s conversion.
This conversion will be substituted with a string random
-characters from [A\-Za\-z0\-9./]. For example, "%.2s"
-provides a two character salt and "$1$%.8s" tells some
+characters from [A\-Za\-z0\-9./]. For example, '%.2s'
+provides a two character salt and '$1$%.8s' tells some
versions of crypt(3) to use an MD5 algorithm and provides
-8 random characters of salt. The default is "%s", which
+8 random characters of salt. The default is '%s', which
provides 31 characters of salt.
+.TP
+.BI \-n
+Omit the trailing newline; useful to pipe the credentials
+into a command.
.SH LIMITATIONS
-The practice storing hashed passwords in userPassword violates
-Standard Track (RFC 2256) schema specifications and may hinder
+The practice of storing hashed passwords in userPassword violates
+Standard Track (RFC 4519) schema specifications and may hinder
interoperability. A new attribute type, authPassword, to hold
hashed passwords has been defined (RFC 3112), but is not yet
implemented in
.BR slapd (8).
+.LP
+It should also be noted that the behavior of
+.BR crypt (3)
+is platform specific.
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
-should be inplace before using LDAP simple bind. The
-hashed password values should be protected as if they
+should be in\-place before using LDAP simple bind.
+.LP
+The hashed password values should be protected as if they
were clear text passwords.
.SH "SEE ALSO"
.BR ldappasswd (1),
.BR ldapmodify (1),
-.BR slapd (8)
-.BR slapd.conf (5)
+.BR slapd (8),
+.BR slapd.conf (5),
+.BR slapd\-config (5),
.B RFC 2307
-.B RFC 2256
+.B RFC 4519
.B RFC 3112
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
-OpenLDAP is developed and maintained by
-The OpenLDAP Project (http://www.openldap.org/).
-OpenLDAP is derived from University of Michigan LDAP 3.3 Release.
+.so ../Project