Re: Salted passwords, further clarification please

[Matthew Backes <mbackes@symas.com>]

> > I'm trying to write a script to change the rootpw value in  
> > slapd.conf.
>
> Why? Parsing slapd.conf yourself is error-prone. If you really need  
> the
> rootdn I would disable rootpw in slapd.conf and add a real entry for
> rootdn for which you can set the userPassword attribute.

Or use the dynamic config stuff to similarly change it on the fly  
through ldapmodifies to stuff under cn=config.

Or if you really want slapd.conf style rootpw setting, try doing it  
like the tests do now.  (You may need to pull from CVS.)  Several of  
the overlays that are dynamically configurable generate a rootdn/ 
rootpw in a separate file called configpw.conf.  (and keep a copy of  
the plaintext, obviously...)  This file is then used as part of the  
main slapd.conf by the magic of the include directive.  e.g. from  
openldap/tests/data/slapd-translucent-local.conf:

database config
include "configpw.conf"

This could just as easily be used for any other database, or any  
other configurable parameters you want your script to read and change  
without understanding the full complexity of slapd.conf.

> > My question has to do with the random salt.  How do I verify the
> > existing password?

We do not currently have a standalone tool providing that  
functionality, but what you are looking for is in liblutil.

> >  Going through slappasswd doesn't appear to work,
> > since it uses a random salt each time.
>
> Yes, slappasswd is for generating not checking password values.
>
> > Furthermore, how does the server know what the salt is?
>
> Since you know how long the particular hash value is everything  
> else is
> the salt.

In other words you need to look up the standard for how that hash  
works and where the salt goes.  Probably a better idea to use the  
hash/check functions within lutil, or rely on slapd to do it for you.

Matthew Backes
Symas Corporation
mbackes@symas.com
lucca@accela.net