X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman8%2Fslappasswd.8;h=13bc9789c66d356f6d55acbb02f59c4c367f9a70;hb=76590ae110f170a4da09c1c84ea9d4d88d4e59ab;hp=4b34bc060ee659b80f150c08e0e1a0090311778a;hpb=b43ad1dd0eac7f09ef5a6d205cd7f614411bee0c;p=openldap diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8 index 4b34bc060e..13bc9789c6 100644 --- a/doc/man/man8/slappasswd.8 +++ b/doc/man/man8/slappasswd.8 @@ -1,16 +1,17 @@ .TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION" -.\" $OpenLDAP$ -.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ .SH NAME slappasswd \- OpenLDAP password utility .SH SYNOPSIS .B SBINDIR/slappasswd .B [\-v] .B [\-u] -.B [\-s secret] +.B [\-g|\-s secret|\-T file] .B [\-h hash] .B [\-c salt-format] +.B [\-n] .B .LP .SH DESCRIPTION @@ -18,27 +19,72 @@ slappasswd \- OpenLDAP password utility .B Slappasswd is used to generate an userPassword value suitable for use with -.BR ldapmodify (1) -or +.BR ldapmodify (1), .BR slapd.conf (5) .I rootpw +configuration directive or the +.BR slapd-config (5) +.I olcRootPW configuration directive. +. .SH OPTIONS .TP .B \-v enable verbose mode. .TP .B \-u -Generate RFC2307 userPassword values (the default). Future +Generate RFC 2307 userPassword values (the default). Future versions of this program may generate alternative syntaxes by default. This option is provided for forward compatibility. .TP .BI \-s " secret" -The secret to hash. If not provided, the user will be prompted -for the secret to hash. +The secret to hash. +If this, +.B \-g +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +and mutually exclusive flags. +.TP +.BI \-g +Generate the secret. +If this, +.B \-s +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +and mutually exclusive flags. +If this is present, +.I {CLEARTEXT} +is used as scheme. +.B \-g +and +.B \-h +are mutually exclusive flags. +.TP +.BI \-T " file" +Hash the contents of the file. +If this, +.B \-g +and +.B \-s +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +and mutually exclusive flags. .TP .BI \-h " scheme" -If -h is specified, one of the following RFC2307 schemes may +If -h is specified, one of the following RFC 2307 schemes may be specified: .IR {CRYPT} , .IR {MD5} , @@ -47,6 +93,34 @@ be specified: .IR {SHA} . The default is .IR {SSHA} . + +Note that scheme names may need to be protected, due to +.B { +and +.BR } , +from expansion by the user's command interpreter. + +.B {SHA} +and +.B {SSHA} +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. + +.B {MD5} +and +.B {SMD5} +use the MD5 algorithm (RFC 1321), the latter with a seed. + +.B {CRYPT} +uses the +.BR crypt (3). + +.B {CLEARTEXT} +indicates that the new password should be added to userPassword as +clear text. +Unless +.I {CLEARTEXT} +is used, this flag is incompatible with +.BR \-g . .TP .BI \-c " crypt-salt-format" Specify the format of the salt passed to @@ -56,30 +130,43 @@ This string needs to be in .BR sprintf (3) format and may include one (and only one) %s conversion. This conversion will be substituted with a string random -characters from [A\-Za\-z0\-9./]. For example, "%.2s" -provides a two character salt and "$1$%.8s" tells some +characters from [A\-Za\-z0\-9./]. For example, '%.2s' +provides a two character salt and '$1$%.8s' tells some versions of crypt(3) to use an MD5 algorithm and provides -8 random characters of salt. The default is "%s", which +8 random characters of salt. The default is '%s', which provides 31 characters of salt. +.TP +.BI \-n +Omit the trailing newline; useful to pipe the credentials +into a command. .SH LIMITATIONS -The practice storing hashed passwords in userPassword violates -Standard Track (RFC2256) schema specifications and may hinder -interoperability. A new attribute type to hold hashed -passwords is needed. +The practice of storing hashed passwords in userPassword violates +Standard Track (RFC 4519) schema specifications and may hinder +interoperability. A new attribute type, authPassword, to hold +hashed passwords has been defined (RFC 3112), but is not yet +implemented in +.BR slapd (8). +.LP +It should also be noted that the behavior of +.BR crypt (3) +is platform specific. .SH "SECURITY CONSIDERATIONS" Use of hashed passwords does not protect passwords during protocol transfer. TLS or other eavesdropping protections -should be inplace before using LDAP simple bind. The -hashed password values should be protected as if they +should be in\-place before using LDAP simple bind. +.LP +The hashed password values should be protected as if they were clear text passwords. .SH "SEE ALSO" .BR ldappasswd (1), .BR ldapmodify (1), -.BR slapd (8) -.BR slapd.conf (5) +.BR slapd (8), +.BR slapd.conf (5), +.BR slapd\-config (5), +.B RFC 2307 +.B RFC 4519 +.B RFC 3112 .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) .SH ACKNOWLEDGEMENTS -OpenLDAP is developed and maintained by -The OpenLDAP Project (http://www.openldap.org/). -OpenLDAP is derived from University of Michigan LDAP 3.3 Release. +.so ../Project