Copyright 2015-2021 The OpenLDAP Foundation All Rights Reserved.
Copying restrictions apply. See COPYRIGHT/LICENSE.
$OpenLDAP$
slapd-pw-sha2 - SHA-2 password module to slapd ETCDIR/slapd.conf

The pw-sha2 module to slapd (8) provides support for the use of SSHA-512, SSHA-384, SSHA-256, SHA-512, SHA-384 and SHA-256 from the SHA-2 family (FIPS 180-2) of hash functions in hashed passwords in OpenLDAP.

It does so by providing the following additional password schemes for use in slapd:

The pw-sha2 module does not need any configuration.

After loading the module, the password schemes {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384}, and {SHA512} will be recognised in values of the userPassword attribute.

You can then instruct OpenLDAP to use these schemes when processing the LDAPv3 Password Modify (RFC 3062) extended operations by using the password-hash option in slapd.conf (5).

If you want to use the schemes described here with slappasswd (8), don't forget to load the module using its command line options. The relevant option/value is: Depending on pw-sha2 's location, you may also need: All of the userPassword LDAP attributes below encode the password ' secret '. .EX

userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==

userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt

userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

To make {SSHA512} the password hash used in Password Modify extended operations, simply set this line in slapd.conf(5): .EX

password-hash {SSHA512} .EX

slapd.conf (5), ldappasswd (1), slappasswd (8), ldap (3),

"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

This manual page has been written by Peter Marschall based on the module's README file written by Jeff Turner.

OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OpenLDAP is derived from University of Michigan LDAP 3.3 Release.