2002-06-13 11:59:10 +08:00
|
|
|
.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
|
2012-01-01 23:07:45 +08:00
|
|
|
.\" Copyright 1998-2012 The OpenLDAP Foundation All Rights Reserved.
|
2000-06-16 14:43:55 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
2009-01-31 04:27:52 +08:00
|
|
|
.\" $OpenLDAP$
|
2000-06-16 14:43:55 +08:00
|
|
|
.SH NAME
|
2000-07-23 02:32:33 +08:00
|
|
|
slappasswd \- OpenLDAP password utility
|
2000-06-16 14:43:55 +08:00
|
|
|
.SH SYNOPSIS
|
|
|
|
.B SBINDIR/slappasswd
|
2009-06-03 08:43:44 +08:00
|
|
|
[\c
|
|
|
|
.BR \-v ]
|
|
|
|
[\c
|
|
|
|
.BR \-u ]
|
|
|
|
[\c
|
|
|
|
.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR]
|
|
|
|
[\c
|
|
|
|
.BI \-h \ hash\fR]
|
|
|
|
[\c
|
|
|
|
.BI \-c \ salt-format\fR]
|
|
|
|
[\c
|
|
|
|
.BR \-n ]
|
2000-06-16 14:43:55 +08:00
|
|
|
.B
|
|
|
|
.LP
|
|
|
|
.SH DESCRIPTION
|
|
|
|
.LP
|
|
|
|
.B Slappasswd
|
2000-08-25 15:42:11 +08:00
|
|
|
is used to generate an userPassword value
|
2000-08-25 13:31:59 +08:00
|
|
|
suitable for use with
|
2009-01-29 07:02:04 +08:00
|
|
|
.BR ldapmodify (1),
|
2000-06-16 14:43:55 +08:00
|
|
|
.BR slapd.conf (5)
|
2000-08-25 13:31:59 +08:00
|
|
|
.I rootpw
|
2009-01-29 07:02:04 +08:00
|
|
|
configuration directive or the
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR slapd\-config (5)
|
2009-01-29 07:02:04 +08:00
|
|
|
.I olcRootPW
|
2001-06-13 13:40:24 +08:00
|
|
|
configuration directive.
|
2009-01-29 07:02:04 +08:00
|
|
|
.
|
2000-06-16 14:43:55 +08:00
|
|
|
.SH OPTIONS
|
|
|
|
.TP
|
|
|
|
.B \-v
|
|
|
|
enable verbose mode.
|
2001-06-13 13:40:24 +08:00
|
|
|
.TP
|
2000-08-25 15:55:08 +08:00
|
|
|
.B \-u
|
2002-09-21 01:27:08 +08:00
|
|
|
Generate RFC 2307 userPassword values (the default). Future
|
2000-08-25 15:55:08 +08:00
|
|
|
versions of this program may generate alternative syntaxes
|
|
|
|
by default. This option is provided for forward compatibility.
|
2000-06-16 14:43:55 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.BI \-s \ secret
|
2003-03-31 14:29:59 +08:00
|
|
|
The secret to hash.
|
2006-05-11 08:12:54 +08:00
|
|
|
If this,
|
|
|
|
.B \-g
|
|
|
|
and
|
2003-03-31 14:29:59 +08:00
|
|
|
.B \-T
|
|
|
|
are absent, the user will be prompted for the secret to hash.
|
2006-05-11 08:12:54 +08:00
|
|
|
.BR \-s ,
|
|
|
|
.B \-g
|
|
|
|
and
|
|
|
|
.B \-T
|
2009-06-03 08:43:44 +08:00
|
|
|
are mutually exclusive flags.
|
2006-05-11 08:12:54 +08:00
|
|
|
.TP
|
|
|
|
.BI \-g
|
|
|
|
Generate the secret.
|
|
|
|
If this,
|
2003-03-31 14:29:59 +08:00
|
|
|
.B \-s
|
|
|
|
and
|
|
|
|
.B \-T
|
2006-05-11 08:12:54 +08:00
|
|
|
are absent, the user will be prompted for the secret to hash.
|
|
|
|
.BR \-s ,
|
|
|
|
.B \-g
|
|
|
|
and
|
|
|
|
.B \-T
|
2009-06-03 08:43:44 +08:00
|
|
|
are mutually exclusive flags.
|
2006-05-11 08:12:54 +08:00
|
|
|
If this is present,
|
|
|
|
.I {CLEARTEXT}
|
|
|
|
is used as scheme.
|
|
|
|
.B \-g
|
|
|
|
and
|
|
|
|
.B \-h
|
|
|
|
are mutually exclusive flags.
|
2003-03-31 14:29:59 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.BI \-T \ "file"
|
2003-03-31 14:29:59 +08:00
|
|
|
Hash the contents of the file.
|
2006-05-11 08:12:54 +08:00
|
|
|
If this,
|
|
|
|
.B \-g
|
|
|
|
and
|
2003-03-31 14:29:59 +08:00
|
|
|
.B \-s
|
|
|
|
are absent, the user will be prompted for the secret to hash.
|
2006-05-11 08:12:54 +08:00
|
|
|
.BR \-s ,
|
|
|
|
.B \-g
|
2003-03-31 14:29:59 +08:00
|
|
|
and
|
|
|
|
.B \-T
|
|
|
|
and mutually exclusive flags.
|
2000-06-16 14:43:55 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.BI \-h \ "scheme"
|
|
|
|
If \fB\-h\fP is specified, one of the following RFC 2307 schemes may
|
2000-08-25 13:31:59 +08:00
|
|
|
be specified:
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR {CRYPT} ,
|
|
|
|
.BR {MD5} ,
|
|
|
|
.BR {SMD5} ,
|
|
|
|
.BR {SSHA} ", and"
|
|
|
|
.BR {SHA} .
|
2000-06-16 14:43:55 +08:00
|
|
|
The default is
|
2009-06-03 08:43:44 +08:00
|
|
|
.BR {SSHA} .
|
2002-09-21 01:27:08 +08:00
|
|
|
|
2004-01-09 12:11:57 +08:00
|
|
|
Note that scheme names may need to be protected, due to
|
|
|
|
.B {
|
|
|
|
and
|
|
|
|
.BR } ,
|
|
|
|
from expansion by the user's command interpreter.
|
|
|
|
|
2002-09-21 01:12:58 +08:00
|
|
|
.B {SHA}
|
|
|
|
and
|
|
|
|
.B {SSHA}
|
|
|
|
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
|
2002-09-21 01:27:08 +08:00
|
|
|
|
2002-09-21 01:12:58 +08:00
|
|
|
.B {MD5}
|
|
|
|
and
|
|
|
|
.B {SMD5}
|
|
|
|
use the MD5 algorithm (RFC 1321), the latter with a seed.
|
2002-09-21 01:27:08 +08:00
|
|
|
|
2002-09-21 01:12:58 +08:00
|
|
|
.B {CRYPT}
|
|
|
|
uses the
|
|
|
|
.BR crypt (3).
|
2002-09-21 01:27:08 +08:00
|
|
|
|
2002-09-21 01:12:58 +08:00
|
|
|
.B {CLEARTEXT}
|
|
|
|
indicates that the new password should be added to userPassword as
|
|
|
|
clear text.
|
2006-05-11 08:12:54 +08:00
|
|
|
Unless
|
|
|
|
.I {CLEARTEXT}
|
2009-06-03 08:43:44 +08:00
|
|
|
is used, this flag is incompatible with option
|
2006-05-11 08:12:54 +08:00
|
|
|
.BR \-g .
|
2002-09-21 01:12:58 +08:00
|
|
|
.TP
|
2009-06-03 08:43:44 +08:00
|
|
|
.BI \-c \ crypt-salt-format
|
2001-06-13 13:40:24 +08:00
|
|
|
Specify the format of the salt passed to
|
|
|
|
.BR crypt (3)
|
|
|
|
when generating {CRYPT} passwords.
|
|
|
|
This string needs to be in
|
|
|
|
.BR sprintf (3)
|
2009-06-03 08:43:44 +08:00
|
|
|
format and may include one (and only one)
|
|
|
|
.B %s
|
|
|
|
conversion.
|
|
|
|
This conversion will be substituted with a string of random
|
|
|
|
characters from [A\-Za\-z0\-9./]. For example,
|
|
|
|
.RB ' %.2s '
|
|
|
|
provides a two character salt and
|
|
|
|
.RB ' $1$%.8s '
|
|
|
|
tells some
|
|
|
|
versions of
|
|
|
|
.BR crypt (3)
|
|
|
|
to use an MD5 algorithm and provides
|
|
|
|
8 random characters of salt.
|
|
|
|
The default is
|
|
|
|
.RB ' %s ' ,
|
|
|
|
which provides 31 characters of salt.
|
2006-05-11 22:36:20 +08:00
|
|
|
.TP
|
|
|
|
.BI \-n
|
|
|
|
Omit the trailing newline; useful to pipe the credentials
|
|
|
|
into a command.
|
2000-06-16 14:43:55 +08:00
|
|
|
.SH LIMITATIONS
|
2006-12-21 01:02:18 +08:00
|
|
|
The practice of storing hashed passwords in userPassword violates
|
2006-06-10 01:20:38 +08:00
|
|
|
Standard Track (RFC 4519) schema specifications and may hinder
|
2002-09-21 01:27:08 +08:00
|
|
|
interoperability. A new attribute type, authPassword, to hold
|
|
|
|
hashed passwords has been defined (RFC 3112), but is not yet
|
|
|
|
implemented in
|
|
|
|
.BR slapd (8).
|
2006-12-21 01:02:18 +08:00
|
|
|
.LP
|
2003-12-30 09:37:38 +08:00
|
|
|
It should also be noted that the behavior of
|
|
|
|
.BR crypt (3)
|
|
|
|
is platform specific.
|
2000-06-16 14:43:55 +08:00
|
|
|
.SH "SECURITY CONSIDERATIONS"
|
|
|
|
Use of hashed passwords does not protect passwords during
|
|
|
|
protocol transfer. TLS or other eavesdropping protections
|
2009-06-03 08:43:44 +08:00
|
|
|
should be in-place before using LDAP simple bind.
|
2006-12-21 01:02:18 +08:00
|
|
|
.LP
|
2003-12-30 09:37:38 +08:00
|
|
|
The hashed password values should be protected as if they
|
2000-06-16 14:43:55 +08:00
|
|
|
were clear text passwords.
|
|
|
|
.SH "SEE ALSO"
|
2000-07-23 02:32:33 +08:00
|
|
|
.BR ldappasswd (1),
|
|
|
|
.BR ldapmodify (1),
|
2009-01-30 08:23:58 +08:00
|
|
|
.BR slapd (8),
|
|
|
|
.BR slapd.conf (5),
|
|
|
|
.BR slapd\-config (5),
|
2009-06-03 08:43:44 +08:00
|
|
|
.B RFC 2307\fP,
|
|
|
|
.B RFC 4519\fP,
|
2002-09-21 01:27:08 +08:00
|
|
|
.B RFC 3112
|
2000-08-14 06:06:01 +08:00
|
|
|
.LP
|
2000-08-25 07:18:06 +08:00
|
|
|
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
|
2000-06-16 14:43:55 +08:00
|
|
|
.SH ACKNOWLEDGEMENTS
|
2006-06-14 12:24:43 +08:00
|
|
|
.so ../Project
|