openldap/doc/man/man8/slappasswd.8

169 lines
3.6 KiB
Groff
Raw Normal View History

2002-06-13 11:59:10 +08:00
.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2000-06-16 14:43:55 +08:00
.\" $OpenLDAP$
2008-01-08 08:19:56 +08:00
.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
2000-06-16 14:43:55 +08:00
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
2000-07-23 02:32:33 +08:00
slappasswd \- OpenLDAP password utility
2000-06-16 14:43:55 +08:00
.SH SYNOPSIS
.B SBINDIR/slappasswd
.B [\-v]
.B [\-u]
.B [\-g|\-s secret|\-T file]
.B [\-h hash]
2001-06-13 13:40:24 +08:00
.B [\-c salt-format]
2006-05-11 22:36:20 +08:00
.B [\-n]
2000-06-16 14:43:55 +08:00
.B
.LP
.SH DESCRIPTION
.LP
.B Slappasswd
is used to generate an userPassword value
2000-08-25 13:31:59 +08:00
suitable for use with
.BR ldapmodify (1)
or
2000-06-16 14:43:55 +08:00
.BR slapd.conf (5)
2000-08-25 13:31:59 +08:00
.I rootpw
2001-06-13 13:40:24 +08:00
configuration directive.
2000-06-16 14:43:55 +08:00
.SH OPTIONS
.TP
.B \-v
enable verbose mode.
2001-06-13 13:40:24 +08:00
.TP
.B \-u
2002-09-21 01:27:08 +08:00
Generate RFC 2307 userPassword values (the default). Future
versions of this program may generate alternative syntaxes
by default. This option is provided for forward compatibility.
2000-06-16 14:43:55 +08:00
.TP
.BI \-s " secret"
2003-03-31 14:29:59 +08:00
The secret to hash.
If this,
.B \-g
and
2003-03-31 14:29:59 +08:00
.B \-T
are absent, the user will be prompted for the secret to hash.
.BR \-s ,
.B \-g
and
.B \-T
and mutually exclusive flags.
.TP
.BI \-g
Generate the secret.
If this,
2003-03-31 14:29:59 +08:00
.B \-s
and
.B \-T
are absent, the user will be prompted for the secret to hash.
.BR \-s ,
.B \-g
and
.B \-T
2003-03-31 14:29:59 +08:00
and mutually exclusive flags.
If this is present,
.I {CLEARTEXT}
is used as scheme.
.B \-g
and
.B \-h
are mutually exclusive flags.
2003-03-31 14:29:59 +08:00
.TP
.BI \-T " file"
Hash the contents of the file.
If this,
.B \-g
and
2003-03-31 14:29:59 +08:00
.B \-s
are absent, the user will be prompted for the secret to hash.
.BR \-s ,
.B \-g
2003-03-31 14:29:59 +08:00
and
.B \-T
and mutually exclusive flags.
2000-06-16 14:43:55 +08:00
.TP
2001-06-13 13:40:24 +08:00
.BI \-h " scheme"
2002-09-21 01:27:08 +08:00
If -h is specified, one of the following RFC 2307 schemes may
2000-08-25 13:31:59 +08:00
be specified:
2000-06-16 14:43:55 +08:00
.IR {CRYPT} ,
.IR {MD5} ,
.IR {SMD5} ,
.IR {SSHA} ", and"
.IR {SHA} .
The default is
.IR {SSHA} .
2002-09-21 01:27:08 +08:00
Note that scheme names may need to be protected, due to
.B {
and
.BR } ,
from expansion by the user's command interpreter.
.B {SHA}
and
.B {SSHA}
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
2002-09-21 01:27:08 +08:00
.B {MD5}
and
.B {SMD5}
use the MD5 algorithm (RFC 1321), the latter with a seed.
2002-09-21 01:27:08 +08:00
.B {CRYPT}
uses the
.BR crypt (3).
2002-09-21 01:27:08 +08:00
.B {CLEARTEXT}
indicates that the new password should be added to userPassword as
clear text.
Unless
.I {CLEARTEXT}
is used, this flag is incompatible with
.BR \-g .
.TP
2001-06-13 13:40:24 +08:00
.BI \-c " crypt-salt-format"
Specify the format of the salt passed to
.BR crypt (3)
when generating {CRYPT} passwords.
This string needs to be in
.BR sprintf (3)
format and may include one (and only one) %s conversion.
This conversion will be substituted with a string random
2005-01-11 09:10:22 +08:00
characters from [A\-Za\-z0\-9./]. For example, '%.2s'
provides a two character salt and '$1$%.8s' tells some
2001-06-13 13:40:24 +08:00
versions of crypt(3) to use an MD5 algorithm and provides
2005-01-11 09:10:22 +08:00
8 random characters of salt. The default is '%s', which
2001-06-13 13:40:24 +08:00
provides 31 characters of salt.
2006-05-11 22:36:20 +08:00
.TP
.BI \-n
Omit the trailing newline; useful to pipe the credentials
into a command.
2000-06-16 14:43:55 +08:00
.SH LIMITATIONS
2006-12-21 01:02:18 +08:00
The practice of storing hashed passwords in userPassword violates
2006-06-10 01:20:38 +08:00
Standard Track (RFC 4519) schema specifications and may hinder
2002-09-21 01:27:08 +08:00
interoperability. A new attribute type, authPassword, to hold
hashed passwords has been defined (RFC 3112), but is not yet
implemented in
.BR slapd (8).
2006-12-21 01:02:18 +08:00
.LP
2003-12-30 09:37:38 +08:00
It should also be noted that the behavior of
.BR crypt (3)
is platform specific.
2000-06-16 14:43:55 +08:00
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
2003-12-30 09:37:38 +08:00
should be in\-place before using LDAP simple bind.
2006-12-21 01:02:18 +08:00
.LP
2003-12-30 09:37:38 +08:00
The hashed password values should be protected as if they
2000-06-16 14:43:55 +08:00
were clear text passwords.
.SH "SEE ALSO"
2000-07-23 02:32:33 +08:00
.BR ldappasswd (1),
.BR ldapmodify (1),
2000-06-16 14:43:55 +08:00
.BR slapd (8)
2000-08-25 13:31:59 +08:00
.BR slapd.conf (5)
2002-09-21 01:27:08 +08:00
.B RFC 2307
2006-06-10 01:20:38 +08:00
.B RFC 4519
2002-09-21 01:27:08 +08:00
.B RFC 3112
2000-08-14 06:06:01 +08:00
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
2000-06-16 14:43:55 +08:00
.SH ACKNOWLEDGEMENTS
2006-06-14 12:24:43 +08:00
.so ../Project