openldap/doc/man/man8/slappasswd.8

188 lines
3.8 KiB
Groff
Raw Normal View History

2002-06-13 11:59:10 +08:00
.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2010-04-14 06:17:29 +08:00
.\" Copyright 1998-2010 The OpenLDAP Foundation All Rights Reserved.
2000-06-16 14:43:55 +08:00
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
2000-06-16 14:43:55 +08:00
.SH NAME
2000-07-23 02:32:33 +08:00
slappasswd \- OpenLDAP password utility
2000-06-16 14:43:55 +08:00
.SH SYNOPSIS
.B SBINDIR/slappasswd
2009-06-03 08:43:44 +08:00
[\c
.BR \-v ]
[\c
.BR \-u ]
[\c
.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR]
[\c
.BI \-h \ hash\fR]
[\c
.BI \-c \ salt-format\fR]
[\c
.BR \-n ]
2000-06-16 14:43:55 +08:00
.B
.LP
.SH DESCRIPTION
.LP
.B Slappasswd
is used to generate an userPassword value
2000-08-25 13:31:59 +08:00
suitable for use with
.BR ldapmodify (1),
2000-06-16 14:43:55 +08:00
.BR slapd.conf (5)
2000-08-25 13:31:59 +08:00
.I rootpw
configuration directive or the
2009-06-03 08:43:44 +08:00
.BR slapd\-config (5)
.I olcRootPW
2001-06-13 13:40:24 +08:00
configuration directive.
.
2000-06-16 14:43:55 +08:00
.SH OPTIONS
.TP
.B \-v
enable verbose mode.
2001-06-13 13:40:24 +08:00
.TP
.B \-u
2002-09-21 01:27:08 +08:00
Generate RFC 2307 userPassword values (the default). Future
versions of this program may generate alternative syntaxes
by default. This option is provided for forward compatibility.
2000-06-16 14:43:55 +08:00
.TP
2009-06-03 08:43:44 +08:00
.BI \-s \ secret
2003-03-31 14:29:59 +08:00
The secret to hash.
If this,
.B \-g
and
2003-03-31 14:29:59 +08:00
.B \-T
are absent, the user will be prompted for the secret to hash.
.BR \-s ,
.B \-g
and
.B \-T
2009-06-03 08:43:44 +08:00
are mutually exclusive flags.
.TP
.BI \-g
Generate the secret.
If this,
2003-03-31 14:29:59 +08:00
.B \-s
and
.B \-T
are absent, the user will be prompted for the secret to hash.
.BR \-s ,
.B \-g
and
.B \-T
2009-06-03 08:43:44 +08:00
are mutually exclusive flags.
If this is present,
.I {CLEARTEXT}
is used as scheme.
.B \-g
and
.B \-h
are mutually exclusive flags.
2003-03-31 14:29:59 +08:00
.TP
2009-06-03 08:43:44 +08:00
.BI \-T \ "file"
2003-03-31 14:29:59 +08:00
Hash the contents of the file.
If this,
.B \-g
and
2003-03-31 14:29:59 +08:00
.B \-s
are absent, the user will be prompted for the secret to hash.
.BR \-s ,
.B \-g
2003-03-31 14:29:59 +08:00
and
.B \-T
and mutually exclusive flags.
2000-06-16 14:43:55 +08:00
.TP
2009-06-03 08:43:44 +08:00
.BI \-h \ "scheme"
If \fB\-h\fP is specified, one of the following RFC 2307 schemes may
2000-08-25 13:31:59 +08:00
be specified:
2009-06-03 08:43:44 +08:00
.BR {CRYPT} ,
.BR {MD5} ,
.BR {SMD5} ,
.BR {SSHA} ", and"
.BR {SHA} .
2000-06-16 14:43:55 +08:00
The default is
2009-06-03 08:43:44 +08:00
.BR {SSHA} .
2002-09-21 01:27:08 +08:00
Note that scheme names may need to be protected, due to
.B {
and
.BR } ,
from expansion by the user's command interpreter.
.B {SHA}
and
.B {SSHA}
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
2002-09-21 01:27:08 +08:00
.B {MD5}
and
.B {SMD5}
use the MD5 algorithm (RFC 1321), the latter with a seed.
2002-09-21 01:27:08 +08:00
.B {CRYPT}
uses the
.BR crypt (3).
2002-09-21 01:27:08 +08:00
.B {CLEARTEXT}
indicates that the new password should be added to userPassword as
clear text.
Unless
.I {CLEARTEXT}
2009-06-03 08:43:44 +08:00
is used, this flag is incompatible with option
.BR \-g .
.TP
2009-06-03 08:43:44 +08:00
.BI \-c \ crypt-salt-format
2001-06-13 13:40:24 +08:00
Specify the format of the salt passed to
.BR crypt (3)
when generating {CRYPT} passwords.
This string needs to be in
.BR sprintf (3)
2009-06-03 08:43:44 +08:00
format and may include one (and only one)
.B %s
conversion.
This conversion will be substituted with a string of random
characters from [A\-Za\-z0\-9./]. For example,
.RB ' %.2s '
provides a two character salt and
.RB ' $1$%.8s '
tells some
versions of
.BR crypt (3)
to use an MD5 algorithm and provides
8 random characters of salt.
The default is
.RB ' %s ' ,
which provides 31 characters of salt.
2006-05-11 22:36:20 +08:00
.TP
.BI \-n
Omit the trailing newline; useful to pipe the credentials
into a command.
2000-06-16 14:43:55 +08:00
.SH LIMITATIONS
2006-12-21 01:02:18 +08:00
The practice of storing hashed passwords in userPassword violates
2006-06-10 01:20:38 +08:00
Standard Track (RFC 4519) schema specifications and may hinder
2002-09-21 01:27:08 +08:00
interoperability. A new attribute type, authPassword, to hold
hashed passwords has been defined (RFC 3112), but is not yet
implemented in
.BR slapd (8).
2006-12-21 01:02:18 +08:00
.LP
2003-12-30 09:37:38 +08:00
It should also be noted that the behavior of
.BR crypt (3)
is platform specific.
2000-06-16 14:43:55 +08:00
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
2009-06-03 08:43:44 +08:00
should be in-place before using LDAP simple bind.
2006-12-21 01:02:18 +08:00
.LP
2003-12-30 09:37:38 +08:00
The hashed password values should be protected as if they
2000-06-16 14:43:55 +08:00
were clear text passwords.
.SH "SEE ALSO"
2000-07-23 02:32:33 +08:00
.BR ldappasswd (1),
.BR ldapmodify (1),
.BR slapd (8),
.BR slapd.conf (5),
.BR slapd\-config (5),
2009-06-03 08:43:44 +08:00
.B RFC 2307\fP,
.B RFC 4519\fP,
2002-09-21 01:27:08 +08:00
.B RFC 3112
2000-08-14 06:06:01 +08:00
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
2000-06-16 14:43:55 +08:00
.SH ACKNOWLEDGEMENTS
2006-06-14 12:24:43 +08:00
.so ../Project