[email protected] wrote: > Full_Name: Antoine TRAN > Version: openldap-servers-2.4.44-21.el7_6.x86_64 > OS: CentOS Linux release 7.7.1908 (Core) > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (213.190.88.94) > > > I use slappasswd to generate SSHA password. The issue is it behavior is > different whether I submit the password - in stdin or in command-line '-s' - > and > from a secret file '-T'. Command: > slappasswd -h {SSHA} > => write 'd' twice as password > slappasswd -h {SSHA} -s d > > provides working SSHA. > > But: > echo d >/run/secrets/rootpw > slappasswd -h {SSHA} -T /run/secrets/rootpw > provides a valid SSHA, but that does not match the password. > > My multiple test are done by replacing rootpw in /etc/openldap/slapd.conf, > regenerating with: > systemctl stop slapd > sed -i -e "s,rootpw .*\$,rootpw ${ROOTPW_HASH},g" /etc/openldap/slapd.conf > slapcat -n 0 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d > systemctl start slapd > ldapsearch -D "${ROOTDN}" -w "${ROOTPW}" > > The content of the secret file can be "d" or "d\n", it does not make a > difference. Also, if I change the schema from SSHA to just a fixed salt, the > '-T' seems to work as expected: > (a) slappasswd -c 123 > => write d twice > (b) slappasswd -c 123 -s 123 > (c) slappasswd -c 123 -T /run/secrets/rootpw > > (a), (b) and (c) gives the exact same hash. But I cannot put a fixed salt and > use SSHA, slappasswd prevents me from that, with an error schema already > provided.
Unable to reproduce, SSHA works fine here. Obviously you can't use a fixed salt with SSHA, that's the point of its salt is to be random and different every time. When using a password in a file you must ensure the trailing '\n' is omitted. This is already documented in the manpage. > > I saw the same issue in another openldap mail: > https://www.openldap.org/lists/openldap-software/200805/msg00060.html but no > answer. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
