X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman8%2Fslappasswd.8;h=2b8d01f003c10d32fece4d0095484a5c8bd599b3;hb=c43c9b0bf16031f17ae9d1dfa6505f6cafce8341;hp=cfbc2b6573bf409a6f3067ec50d05b48a4dc6624;hpb=68aebc05c9978b795aa2b0b5029c9b01e8054e19;p=openldap diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8 index cfbc2b6573..2b8d01f003 100644 --- a/doc/man/man8/slappasswd.8 +++ b/doc/man/man8/slappasswd.8 @@ -1,28 +1,39 @@ .TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION" -.\" $OpenLDAP$ -.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2013 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ .SH NAME slappasswd \- OpenLDAP password utility .SH SYNOPSIS .B SBINDIR/slappasswd -.B [\-v] -.B [\-u] -.B [\-s secret] -.B [\-h hash] -.B [\-c salt-format] -.B +[\c +.BR \-v ] +[\c +.BR \-u ] +[\c +.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR] +[\c +.BI \-h \ hash\fR] +[\c +.BI \-c \ salt-format\fR] +[\c +.BR \-n ] +[\c +.BI \-o \ option\fR[ = value\fR]] .LP .SH DESCRIPTION .LP .B Slappasswd is used to generate an userPassword value suitable for use with -.BR ldapmodify (1) -or +.BR ldapmodify (1), .BR slapd.conf (5) .I rootpw +configuration directive or the +.BR slapd\-config (5) +.I olcRootPW configuration directive. +. .SH OPTIONS .TP .B \-v @@ -33,20 +44,68 @@ Generate RFC 2307 userPassword values (the default). Future versions of this program may generate alternative syntaxes by default. This option is provided for forward compatibility. .TP -.BI \-s " secret" -The secret to hash. If not provided, the user will be prompted -for the secret to hash. +.BI \-s \ secret +The secret to hash. +If this, +.B \-g +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +are mutually exclusive flags. +.TP +.BI \-g +Generate the secret. +If this, +.B \-s +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +are mutually exclusive flags. +If this is present, +.I {CLEARTEXT} +is used as scheme. +.B \-g +and +.B \-h +are mutually exclusive flags. +.TP +.BI \-T \ "file" +Hash the contents of the file. +If this, +.B \-g +and +.B \-s +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +and mutually exclusive flags. .TP -.BI \-h " scheme" -If -h is specified, one of the following RFC 2307 schemes may +.BI \-h \ "scheme" +If \fB\-h\fP is specified, one of the following RFC 2307 schemes may be specified: -.IR {CRYPT} , -.IR {MD5} , -.IR {SMD5} , -.IR {SSHA} ", and" -.IR {SHA} . +.BR {CRYPT} , +.BR {MD5} , +.BR {SMD5} , +.BR {SSHA} ", and" +.BR {SHA} . The default is -.IR {SSHA} . +.BR {SSHA} . + +Note that scheme names may need to be protected, due to +.B { +and +.BR } , +from expansion by the user's command interpreter. .B {SHA} and @@ -65,44 +124,80 @@ uses the .B {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. +Unless +.I {CLEARTEXT} +is used, this flag is incompatible with option +.BR \-g . .TP -.BI \-c " crypt-salt-format" +.BI \-c \ crypt-salt-format Specify the format of the salt passed to .BR crypt (3) when generating {CRYPT} passwords. This string needs to be in .BR sprintf (3) -format and may include one (and only one) %s conversion. -This conversion will be substituted with a string random -characters from [A\-Za\-z0\-9./]. For example, "%.2s" -provides a two character salt and "$1$%.8s" tells some -versions of crypt(3) to use an MD5 algorithm and provides -8 random characters of salt. The default is "%s", which -provides 31 characters of salt. +format and may include one (and only one) +.B %s +conversion. +This conversion will be substituted with a string of random +characters from [A\-Za\-z0\-9./]. For example, +.RB ' %.2s ' +provides a two character salt and +.RB ' $1$%.8s ' +tells some +versions of +.BR crypt (3) +to use an MD5 algorithm and provides +8 random characters of salt. +The default is +.RB ' %s ' , +which provides 31 characters of salt. +.TP +.BI \-n +Omit the trailing newline; useful to pipe the credentials +into a command. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + module\-path= (see `\fBmodulepath\fP' in slapd.conf(5)) + module\-load= (see `\fBmoduleload\fP' in slapd.conf(5)) + +.in +You can load a dynamically loadable password hash module by +using this option. .SH LIMITATIONS -The practice storing hashed passwords in userPassword violates -Standard Track (RFC 2256) schema specifications and may hinder +The practice of storing hashed passwords in userPassword violates +Standard Track (RFC 4519) schema specifications and may hinder interoperability. A new attribute type, authPassword, to hold hashed passwords has been defined (RFC 3112), but is not yet implemented in .BR slapd (8). +.LP +It should also be noted that the behavior of +.BR crypt (3) +is platform specific. .SH "SECURITY CONSIDERATIONS" Use of hashed passwords does not protect passwords during protocol transfer. TLS or other eavesdropping protections -should be inplace before using LDAP simple bind. The -hashed password values should be protected as if they +should be in-place before using LDAP simple bind. +.LP +The hashed password values should be protected as if they were clear text passwords. .SH "SEE ALSO" .BR ldappasswd (1), .BR ldapmodify (1), -.BR slapd (8) -.BR slapd.conf (5) -.B RFC 2307 -.B RFC 2256 +.BR slapd (8), +.BR slapd.conf (5), +.BR slapd\-config (5), +.B RFC 2307\fP, +.B RFC 4519\fP, .B RFC 3112 .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) .SH ACKNOWLEDGEMENTS -OpenLDAP is developed and maintained by -The OpenLDAP Project (http://www.openldap.org/). -OpenLDAP is derived from University of Michigan LDAP 3.3 Release. +.so ../Project