Commit d57092ea authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Misc doc updates

parent f937dd16
This diff is collapsed.
......@@ -440,12 +440,25 @@ and
The default is
.BR {SSHA} .
Note that
.B {SHA}
and
.B {SSHA}
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
.B {MD5}
and
.B {SMD5}
use the MD5 algorithm (RFC 1321), the latter with a seed.
.B {CRYPT}
uses the
.BR crypt (3).
.B {CLEARTEXT}
indicates that the new password should be
added to userPassword as clear text.
Also, note that this option does not alter the normal user applications
Note that this option does not alter the normal user applications
handling of userPassword during LDAP Add, Modify, or other LDAP operations.
.TP
.B password\-crypt\-salt\-format <format>
......
......@@ -29,7 +29,7 @@ configuration directive.
enable verbose mode.
.TP
.B \-u
Generate RFC2307 userPassword values (the default). Future
Generate RFC 2307 userPassword values (the default). Future
versions of this program may generate alternative syntaxes
by default. This option is provided for forward compatibility.
.TP
......@@ -38,7 +38,7 @@ The secret to hash. If not provided, the user will be prompted
for the secret to hash.
.TP
.BI \-h " scheme"
If -h is specified, one of the following RFC2307 schemes may
If -h is specified, one of the following RFC 2307 schemes may
be specified:
.IR {CRYPT} ,
.IR {MD5} ,
......@@ -47,6 +47,24 @@ be specified:
.IR {SHA} .
The default is
.IR {SSHA} .
.B {SHA}
and
.B {SSHA}
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
.B {MD5}
and
.B {SMD5}
use the MD5 algorithm (RFC 1321), the latter with a seed.
.B {CRYPT}
uses the
.BR crypt (3).
.B {CLEARTEXT}
indicates that the new password should be added to userPassword as
clear text.
.TP
.BI \-c " crypt-salt-format"
Specify the format of the salt passed to
......@@ -63,9 +81,11 @@ versions of crypt(3) to use an MD5 algorithm and provides
provides 31 characters of salt.
.SH LIMITATIONS
The practice storing hashed passwords in userPassword violates
Standard Track (RFC2256) schema specifications and may hinder
interoperability. A new attribute type to hold hashed
passwords is needed.
Standard Track (RFC 2256) schema specifications and may hinder
interoperability. A new attribute type, authPassword, to hold
hashed passwords has been defined (RFC 3112), but is not yet
implemented in
.BR slapd (8).
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
......@@ -77,6 +97,9 @@ were clear text passwords.
.BR ldapmodify (1),
.BR slapd (8)
.BR slapd.conf (5)
.B RFC 2307
.B RFC 2256
.B RFC 3112
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
......
......@@ -31,6 +31,7 @@ rfc3088.txt OpenLDAP Root Service (E)
rfc3112.txt LDAP Authentication Password Schema (I)
rfc3296.txt Named Subordinate References in LDAP (PS)
rfc3377.txt LDAP(v3): Technical Specification (PS)
rfc3383.txt IANA Considerations for LDAP (BCP)
Legend:
......
This diff is collapsed.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment