I have the following version on Ubuntu 12.04:
OpenLDAP: slapd (Sep 19 2013 22:49:31) $
buildd@batsu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd
OpenLDAP now offers SSHA as the default hash. I want to use a different hash. Yet, old tutorials are based on editing /etc/ldap/slapd.conf
which is gone in newer version of OpenLDAP. Which file should I change?
Best Answer
Okay. I figured this out with helps from IRC and reading manpage.
Assuming you don't want to re-create anything but adding password-hash into existing LDAP backend, and you are running Ubuntu (this is tested on Ubuntu machine only, but the method should be OS-agnostic):
We will be using
ldapmodify
to add, modify and remove entries.Step 1: Create test.conf
We will create a file called
test.conf
and add the followings:The
dn
is different if you have a different database. I started out knowing nothing where to place, so I simulated:The last command will convert existing test.conf (my name for the famous old slapd.conf) to the new
cn=config
format.If you
tree
thetest.d
directory, and if you read each of the ldif files, you will find exactly the file you want to modify. In my case (possibly for all Ubunut users out there), it would beolcDatabase={-1}frontend.ldif
.The other thing is
cn=config
. This is because that ldif file exists undercn=config
directory.This is a good way to find out where the attribute supposed to belong to.
Step 2: Run ldapmodify
If you now check the ldif file, it should have
olcPasswordHash
attribute.If you want to specify the format of the hash, you can do this. Assuming you are following the previous two steps, you either comment out everything or start with a new file. The file needs to contain the following lines:
Run this using the same
ldapmodify
command. Now LDAP account will be hashed using SHA-256 ($6$
is SHA-512) plus 16-char long salt and hashed 8000 times.The
dn
entry iscn=config
because this value (based on my simulation using step 1) is incn=config.ldif
file.To learn about the format, check http://www.openldap.org/lists/openldap-technical/201305/msg00002.html
If you are experimenting with different format, you can try using
replace
method. So the file would look like this.Now I removed 8000 time iteration. I think by default the SHA5-256-CRYPT is hashed 5000 times.
You can read more about this by doing
man ldapmodify
and scrolldown to near the bottom of the man page.