(ITS#9137) slappasswd generate wrong SSHA from file

[antoine.tran@thales-services.fr]

Full_Name: Antoine TRAN
Version: openldap-servers-2.4.44-21.el7_6.x86_64
OS: CentOS Linux release 7.7.1908 (Core)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.190.88.94)


I use slappasswd to generate SSHA password. The issue is it behavior is
different whether I submit the password - in stdin or in command-line '-s' - and
from a secret file '-T'. Command:
slappasswd -h {SSHA}
=> write 'd' twice as password
slappasswd -h {SSHA} -s d

provides working SSHA.

But:
echo d >/run/secrets/rootpw
slappasswd -h {SSHA} -T /run/secrets/rootpw
provides a valid SSHA, but that does not match the password.

My multiple test are done by replacing rootpw in /etc/openldap/slapd.conf,
regenerating with:
systemctl stop slapd
sed -i -e "s,rootpw .*\$,rootpw ${ROOTPW_HASH},g" /etc/openldap/slapd.conf
slapcat -n 0 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
systemctl start slapd
ldapsearch -D "${ROOTDN}" -w "${ROOTPW}"

The content of the secret file can be "d" or "d\n", it does not make a
difference. Also, if I change the schema from SSHA to just a fixed salt, the
'-T' seems to work as expected:
(a) slappasswd -c 123
=> write d twice
(b) slappasswd -c 123 -s 123
(c) slappasswd -c 123 -T /run/secrets/rootpw

(a), (b) and (c) gives the exact same hash. But I cannot put a fixed salt and
use SSHA, slappasswd prevents me from that, with an error schema already
provided.

I saw the same issue in another openldap mail:
https://www.openldap.org/lists/openldap-software/200805/msg00060.html but no
answer.