-.TH SLAPPASSWD 8C "13 August 2000" "OpenLDAP LDVERSION"
+.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slappasswd \- OpenLDAP password utility
.SH SYNOPSIS
.B SBINDIR/slappasswd
-.B [\-a]
.B [\-v]
-.B [\-s secret]
+.B [\-u]
+.B [\-s secret|\-T file]
.B [\-h hash]
+.B [\-c salt-format]
.B
.LP
.SH DESCRIPTION
.LP
.B Slappasswd
-is used to compute a hashed password suitable for use
-as a userPassword value
+is used to generate an userPassword value
+suitable for use with
+.BR ldapmodify (1)
+or
.BR slapd.conf (5)
-.BR rootpw .
+.I rootpw
+configuration directive.
.SH OPTIONS
.TP
-.B \-a
-generate authPassword values instead of RFC2307 passwords
-.TP
.B \-v
enable verbose mode.
.TP
+.B \-u
+Generate RFC 2307 userPassword values (the default). Future
+versions of this program may generate alternative syntaxes
+by default. This option is provided for forward compatibility.
+.TP
.BI \-s " secret"
-The secret to hash. If not provided, the user will be prompted
-for the secret to hash.
+The secret to hash.
+If this and
+.B \-T
+are absent, the user will be prompted for the secret to hash.
+.B \-s
+and
+.B \-T
+and mutually exclusive flags.
+.TP
+.BI \-T " file"
+Hash the contents of the file.
+If this and
+.B \-s
+are absent, the user will be prompted for the secret to hash.
+.B \-s
+and
+.B \-T
+and mutually exclusive flags.
.TP
.BI \-h " scheme"
-The hash scheme to use. RFC2307 schemes supported include
+If -h is specified, one of the following RFC 2307 schemes may
+be specified:
.IR {CRYPT} ,
.IR {MD5} ,
.IR {SMD5} ,
.IR {SHA} .
The default is
.IR {SSHA} .
-.LP
-If \-a is specified, the following authPassword schemes
-may be specified:
-.IR MD5 ,
-.IR SHA1 ", and"
-.IR X-CRYPT .
-The default is
-.IR SHA1 .
+
+Note that scheme names may need to be protected, due to
+.B {
+and
+.BR } ,
+from expansion by the user's command interpreter.
+
+.B {SHA}
+and
+.B {SSHA}
+use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
+
+.B {MD5}
+and
+.B {SMD5}
+use the MD5 algorithm (RFC 1321), the latter with a seed.
+
+.B {CRYPT}
+uses the
+.BR crypt (3).
+
+.B {CLEARTEXT}
+indicates that the new password should be added to userPassword as
+clear text.
+.TP
+.BI \-c " crypt-salt-format"
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./]. For example, '%.2s'
+provides a two character salt and '$1$%.8s' tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt. The default is '%s', which
+provides 31 characters of salt.
.SH LIMITATIONS
-The practice storing hashed passwords in userPassword
-violates Standard Track schema and may hinder
-interoperability. authPassword is not yet widely supported.
+The practice storing hashed passwords in userPassword violates
+Standard Track (RFC 2256) schema specifications and may hinder
+interoperability. A new attribute type, authPassword, to hold
+hashed passwords has been defined (RFC 3112), but is not yet
+implemented in
+.BR slapd (8).
+.TP
+It should also be noted that the behavior of
+.BR crypt (3)
+is platform specific.
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
-should be inplace before using LDAP simple bind. The
-hashed password values should be protected as if they
+should be in\-place before using LDAP simple bind.
+.TP
+The hashed password values should be protected as if they
were clear text passwords.
.SH "SEE ALSO"
.BR ldappasswd (1),
.BR ldapmodify (1),
.BR slapd (8)
+.BR slapd.conf (5)
+.B RFC 2307
+.B RFC 2256
+.B RFC 3112
.LP
-"OpenLDAP Administrator's Guide"
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.
+OpenLDAP is developed and maintained by
+The OpenLDAP Project (http://www.openldap.org/).
+OpenLDAP is derived from University of Michigan LDAP 3.3 Release.