Misc updates to password codes / docs

doc/man/man5/slapd.conf.5

@@ -240,6 +240,20 @@ and
 The default is
 .BR {SSHA} .
 .TP
+.B password-crypt-salt-format <format>
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.  
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./].  For example, "%.2s"
+provides a two character salt and "$1$%.8s" tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt.  The default is "%s", which
+provides 31 characters of salt.
+.TP
 .B pidfile <filename>
 The ( absolute ) name of a file that will hold the 
 .B slapd

doc/man/man8/slappasswd.8

@@ -10,6 +10,7 @@ slappasswd \- OpenLDAP password utility
 .B [\-u]
 .B [\-s secret]
 .B [\-h hash]
+.B [\-c salt-format]
 .B 
 .LP
 .SH DESCRIPTION
@@ -21,13 +22,14 @@ suitable for use with
 or
 .BR slapd.conf (5)
 .I rootpw
-coniguration directive.
+configuration directive.
 .SH OPTIONS
 .TP
 .B \-v
 enable verbose mode.
+.TP
 .B \-u
-generate RFC2307 userPassword values (the default).  Future
+Generate RFC2307 userPassword values (the default).  Future
 versions of this program may generate alternative syntaxes
 by default.  This option is provided for forward compatibility.
 .TP
@@ -35,6 +37,7 @@ by default.  This option is provided for forward compatibility.
 The secret to hash.  If not provided, the user will be prompted
 for the secret to hash.
 .TP
+.BI \-h " scheme"
 If -h is specified, one of the following RFC2307 schemes may
 be specified:
 .IR {CRYPT} ,
@@ -44,7 +47,20 @@ be specified:
 .IR {SHA} .
 The default is 
 .IR {SSHA} .
-.LP
+.TP
+.BI \-c " crypt-salt-format"
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.  
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./].  For example, "%.2s"
+provides a two character salt and "$1$%.8s" tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt.  The default is "%s", which
+provides 31 characters of salt.
 .SH LIMITATIONS
 The practice storing hashed passwords in userPassword violates
 Standard Track (RFC2256) schema specifications and may hinder

libraries/liblutil/passwd.c

@@ -1239,15 +1239,9 @@ static struct berval *hash_crypt(
 int lutil_salt_format(const char *format)
 {
 #ifdef SLAPD_CRYPT
-	if (format) {
-		if (salt_format)
-			free(salt_format);
-		salt_format = strdup(format);
-	} else {  // unset if they pass in NULL
-		if (salt_format)
-			free(salt_format);
-		salt_format = NULL;
-	}
+	free(salt_format);
+
+	salt_format = format != NULL ? strdup(format) : NULL;
 #endif
 
 	return 0;

servers/slapd/tools/slappasswd.c

@@ -31,6 +31,7 @@ usage(const char *s)
 		"Usage: %s [options]\n"
 		"  -h hash\tpassword scheme\n"
 		"  -s secret\tnew password\n"
+		"  -c format\tcrypt(3) salt format\n"
 		"  -u\t\tgenerate RFC2307 values (default)\n"
 		"  -v\t\tincrease verbosity\n"
 		, s );
@@ -51,24 +52,28 @@ main( int argc, char *argv[] )
 	struct berval *hash = NULL;
 
 	while( (i = getopt( argc, argv,
-		"d:h:s:vu" )) != EOF )
+		"c:d:h:s:vu" )) != EOF )
 	{
 		switch (i) {
+		case 'c':	/* crypt salt format */
+			scheme = "{CRYPT}";
+			lutil_salt_format( optarg );
+			break;
+
 		case 'h':	/* scheme */
-			scheme = strdup (optarg);
+			scheme = strdup( optarg );
 			break;
 
 		case 's':	/* new password (secret) */
-			newpw = strdup (optarg);
-
 			{
 				char* p;
+				newpw = strdup( optarg );
 
 				for( p = optarg; *p != '\0'; p++ ) {
 					*p = '\0';
 				}
-			}
-			break;
+
+			} break;
 
 		case 'u':	/* RFC2307 userPassword */
 			break;