ITS#2906: report invalid userPassword schemes, clarify documentation

doc/man/man8/slappasswd.8

@@ -64,6 +64,12 @@ be specified:
 The default is 
 .IR {SSHA} .
 
+Note that scheme names may need to be protected, due to
+.B {
+and
+.BR } ,
+from expansion by the user's command interpreter.
+
 .B {SHA}
 and
 .B {SSHA}

libraries/liblutil/passwd.c

@@ -377,9 +377,17 @@ struct berval * lutil_passwd_hash(
 {
 	const struct pw_scheme *sc = get_scheme( method );
 
+	if( sc == NULL ) {
+		*text = "scheme not recognized";
+		return NULL;
+	}
+
+	if( ! sc->hash_fn ) {
+		*text = "scheme provided no hash function";
+		return NULL;
+	}
+
 	if( text ) *text = NULL;
-	if( sc == NULL ) return NULL;
-	if( ! sc->hash_fn ) return NULL;
 
 	return (sc->hash_fn)( &sc->name, passwd, text );
 }

servers/slapd/tools/slappasswd.c

@@ -131,10 +131,10 @@ main( int argc, char *argv[] )
 	}
 
 	hash = lutil_passwd_hash( &passwd, scheme, &text );
-
 	if( hash == NULL || hash->bv_val == NULL ) {
-		fprintf( stderr, "Password generation failed. %s\n",
-			text ? text : "" );
+		fprintf( stderr,
+			"Password generation failed for scheme %s: %s\n",
+			scheme, text ? text : "" );
 		return EXIT_FAILURE;
 	}