X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=contrib%2Fslapd-modules%2Fpasswd%2Fsha2%2FREADME;h=f63ddc60dd641bd3663fadd5898e5980777781d0;hb=899f3c994fc2c376aa79732577c17c9f42681c94;hp=00dfff2a1afecba4d47ebe45b073cc9a05955ffe;hpb=550dc4aaeee2b9f2ed25b451d950bd5e7088652d;p=openldap

diff --git a/contrib/slapd-modules/passwd/sha2/README b/contrib/slapd-modules/passwd/sha2/README
index 00dfff2a1a..f63ddc60dd 100644
--- a/contrib/slapd-modules/passwd/sha2/README
+++ b/contrib/slapd-modules/passwd/sha2/README
@@ -1,8 +1,9 @@
-SHA-512 OpenLDAP support
-------------------------
+SHA-2 OpenLDAP support
+----------------------
 
-slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in
-OpenLDAP. For instance, one could have the LDAP attribute:
+slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256,
+SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For
+instance, one could have the LDAP attribute:
 
 userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
 
@@ -41,13 +42,14 @@ moduleload ...path/to/slapd-sha2.so
 Configuring
 -----------
 
-The {SHA256}, {SHA384} and {SHA512} password schemes should now be recognised.
+The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512}
+password schemes should now be recognised.
 
 You can also tell OpenLDAP to use one of these new schemes when processing LDAP
 Password Modify Extended Operations, thanks to the password-hash option in
 slapd.conf. For example:
 
-password-hash	{SHA256}
+password-hash	{SSHA512}
 
 
 Testing
@@ -57,7 +59,7 @@ A quick way to test whether it's working is to customize the rootdn and
 rootpw in slapd.conf, eg:
 
 rootdn          "cn=admin,dc=example,dc=com"
-# This encrypts the string 'secret' 
+# This encrypts the string 'secret'
 
 rootpw  {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
 
@@ -74,7 +76,7 @@ $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
 $ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
 WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
-$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64   
+$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
 vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
 W192CF5bDufKRpayrW/isg==
 
@@ -83,22 +85,18 @@ W192CF5bDufKRpayrW/isg==
 
 
 Alternatively we could modify an existing user's password with
-ldapmodify, and then test binding as that user:
+ldappasswd, and then test binding as that user:
 
-$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W
-Enter LDAP Password: 
-dn: uid=jturner,ou=People,dc=example,dc=com
-changetype: modify 
-replace: userPassword
-userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
-
-modifying entry "uid=jturner,ou=People,dc=example,dc=com"
+$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com
+New password: secret
+Re-enter new password: secret
+Enter LDAP Password: <cn=admin's password>
 
 $ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
 
 
-Debugging
----------
+Debugging (SHA-512, SHA-384 and SHA-256 only)
+---------------------------------------------
 
 To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
 commented-out CCFLAGS in Makefile), and then run slapd from the console
@@ -106,19 +104,17 @@ to see stderr:
 
 $ sudo /etc/init.d/slapd stop
 Stopping OpenLDAP: slapd.
-$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256
+$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats
 @(#) $OpenLDAP$
         buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
-/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges.
-/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges.
 slapd starting
 ...
 Validating password
-  Password to validate: secret
-  Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
-  Stored password scheme: {SHA256}
-  Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
-  -> Passwords match
+  Hash scheme:		{SHA256}
+  Password to validate:	secret
+  Password hash:	K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+  Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
+  Result:		match
 conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
 conn=0 op=0 RESULT tag=97 err=0 text=
 conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
@@ -128,7 +124,7 @@ conn=0 fd=12 closed (connection lost)
 
 This work is part of OpenLDAP Software <http://www.openldap.org/>.
 
-Copyright 2009-2011 The OpenLDAP Foundation.
+Copyright 2009-2012 The OpenLDAP Foundation.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without