[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Salted passwords, further clarification please

I'm trying to write a script to change the rootpw value in slapd.conf.

Why? Parsing slapd.conf yourself is error-prone. If you really need the
rootdn I would disable rootpw in slapd.conf and add a real entry for
rootdn for which you can set the userPassword attribute.

Or use the dynamic config stuff to similarly change it on the fly through ldapmodifies to stuff under cn=config.

Or if you really want slapd.conf style rootpw setting, try doing it like the tests do now. (You may need to pull from CVS.) Several of the overlays that are dynamically configurable generate a rootdn/ rootpw in a separate file called configpw.conf. (and keep a copy of the plaintext, obviously...) This file is then used as part of the main slapd.conf by the magic of the include directive. e.g. from openldap/tests/data/slapd-translucent-local.conf:

database config
include "configpw.conf"

This could just as easily be used for any other database, or any other configurable parameters you want your script to read and change without understanding the full complexity of slapd.conf.

My question has to do with the random salt.  How do I verify the
existing password?

We do not currently have a standalone tool providing that functionality, but what you are looking for is in liblutil.

 Going through slappasswd doesn't appear to work,
since it uses a random salt each time.

Yes, slappasswd is for generating not checking password values.

Furthermore, how does the server know what the salt is?

Since you know how long the particular hash value is everything else is
the salt.

In other words you need to look up the standard for how that hash works and where the salt goes. Probably a better idea to use the hash/check functions within lutil, or rely on slapd to do it for you.

Matthew Backes
Symas Corporation