[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8023) slappasswd with sha2 overlay can generate hashes but not salted hashes

Full_Name: Jonathan Price
Version: 2.4.40
OS: FreeBSD 10.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I have compiled version 2.4.40 with the SHA2 module enabled.

I then run the slappasswd with the following arguments:
slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o

This works successfully, and in this example I used the word "test" and it
produced the following output:


However, if I replace {SHA512} with {SSHA512} it produces the following output:
Password verification failed.

I have tested SHA256 SHA384 and SHA512. All three of these work fine. All three
of SSHA256, SSHA384 and SSHA512 do not work however. It appears that there is an
issue with slappasswd and salted SHA2 hashes.

I have checked that 2.4.40 is new enough to have a version of the SHA2 overlay,
and also checked the source to make sure it was definitely a new enough version,
and can confirm that it is.

Unfortunately, beyond this basic level of checking, I'm not a C programmer so I
can't investigate the issue further myself.