How do you set password-hash for OpenLDAP?

I have the following version on Ubuntu 12.04:

OpenLDAP: slapd  (Sep 19 2013 22:49:31) $
buildd@batsu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd

OpenLDAP now offers SSHA as the default hash. I want to use a different hash. Yet, old tutorials are based on editing /etc/ldap/slapd.conf which is gone in newer version of OpenLDAP. Which file should I change?


Okay. I figured this out with helps from IRC and reading manpage.

Assuming you don't want to re-create anything but adding password-hash into existing LDAP backend, and you are running Ubuntu (this is tested on Ubuntu machine only, but the method should be OS-agnostic):

We will be using ldapmodify to add, modify and remove entries.

Step 1: Create test.conf

We will create a file called test.conf and add the followings:

dn: olcDatabase={-1}frontend,cn=config
add: olcPasswordHash
olcPasswordHash: {CRYPT}

The dn is different if you have a different database. I started out knowing nothing where to place, so I simulated:

sudo su            # do this as root
cd /etc/ldap/
mkdir test.d
slaptest -f test.conf -F test.d

The last command will convert existing test.conf (my name for the famous old slapd.conf) to the new cn=config format.

If you tree the test.d directory, and if you read each of the ldif files, you will find exactly the file you want to modify. In my case (possibly for all Ubunut users out there), it would be olcDatabase={-1}frontend.ldif.

The other thing is cn=config. This is because that ldif file exists under cn=config directory.

This is a good way to find out where the attribute supposed to belong to.

Step 2: Run ldapmodify

root@test32giab:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f test.conf

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"

If you now check the ldif file, it should have olcPasswordHash attribute.

If you want to specify the format of the hash, you can do this. Assuming you are following the previous two steps, you either comment out everything or start with a new file. The file needs to contain the following lines:

dn: cn=config
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $5$rounds=8000$%.16s

Run this using the same ldapmodify command. Now LDAP account will be hashed using SHA-256 ($6$ is SHA-512) plus 16-char long salt and hashed 8000 times.

The dn entry is cn=config because this value (based on my simulation using step 1) is in cn=config.ldif file.

To learn about the format, check http://www.openldap.org/lists/openldap-technical/201305/msg00002.html

If you are experimenting with different format, you can try using replace method. So the file would look like this.

dn: cn=config
replace: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $5$%.16s

Now I removed 8000 time iteration. I think by default the SHA5-256-CRYPT is hashed 5000 times.

You can read more about this by doing man ldapmodify and scrolldown to near the bottom of the man page.