(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Passwords : (Answer) What are {CRYPT} passwords and how do I generate them?
OpenLDAP supports RFC 2307 passwords, including the {CRYPT} and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?.
{CRYPT} passwords are supported for migration purposes only. Use of {SSHA} passwords is recommended.
The {CRYPT} scheme values are concatenation of "{CRYPT}" and the result of crypt(3) library function.

Crypt(3) behavior not only differs from system to system, but differs from implementation to implementation. For compatibility, slapd(8) must be linked with same crypt(3) implementation, and on the same system, as the program that was used to generate the crypt(3) password values.

{CRYPT} passwords are designed to be compatible with your system's passwd file. You can generally (see above statement) take the password field from your (possibly shadowed) password file, prefix it with "{CRYPT}" and save this as the password. However, do not expect interoperability with other system's passwd files as there cyrpt(3) implementations may behavior differently.

Crypt(3) may generate traditional (DES-based) strings or use a better one-way hash (MD5, SHA1, or other). This may be configurable.

You can also generate password values using a number of utilities or you can easily roll your own script. The following example uses perl:

perl -e 'print("userPassword: {CRYPT}".crypt("secret","salt")."\n");'
"secret" is the password, "salt" is the salt. If crypt(3) generates traditional passwords, only the first two characters of the salt are used.

On systems, the above will work regardless of hash function used by crypt(3). However, on some systems you may need to call a special function. Here is one such example:

perl -e 'use Crypt::PasswdMD5;print("userPassword: {CRYPT}".unix_md5_crypt("password","salt")."\n");'
"secret" is the password, "salt" is the salt.

The above example requires that the perl modules Crypt::PasswdMD5 and MD5 be installed. Note that though it uses MD5, the value is still uses {CRYPT} scheme.

[Append to This Answer]
Previous: (Answer) What are {MD5} and {SMD5} passwords and how do I generate them?
Next: (Answer) A script to generate MD5, SHA, and CRYPT variants of a password
This document is: http://www.openldap.org/faq/index.cgi?file=344
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org