How to view password storage scheme used in OpenLDAP?

Question

Currently we are using OpenLDAP Version 2.4, From what I know is default password storage scheme is SSHA.

But is there anyway by which I can view it on console, I need to send screenshot where it is mentioned that password storage scheme of our OpenLDAP is SSHA.

UPDATE : olcPasswordHash attribute is not specified in any ldif files present under cn=config folder

Answer 1

COLUMNS=1000 man slappasswd | grep -- -h | grep default

...shows on my system:

If -h is specified, one of the following RFC 2307 schemes may be specified: {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}.

To see if that default is actually used throughout the database: dump all userPassword attributes (might need to decode base64 if ldif is used) and check that they all start with that {SSHA} string.

Answer 2

Depending on the configuration mode, you can check if it's set :

• Using slapd.conf file :

  grep password-hash slapd.conf
  

• Using on-line configuration (OLC) :

  slapcat -n 0 -a olcPasswordHash=*
  

olcPasswordHash attribute is defined at the database level (like in olcDatabase={<n>}<name>,cn=config), so you won't find it directly in cn=config.ldif but in the corresponding ldif file. That's why you have better to use slapcat.

---

A password policy may also require cleartext passwords to be hashed. The ppolicy overlay enables this behavior via the ppolicy_hash_cleartext flag (cf. slapo-ppolicy) :

ppolicy_hash_cleartext : Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database.

In this case, SSHA is used if no password storage scheme is explicitly set via password-hash or olcPasswordHash, so you would just check for the flag :

• Using slapd.conf file :

  grep ppolicy_hash_cleartext slapd.conf
  

• Using on-line configuration (OLC) :

  slapcat -n 0 -a olcPPolicyHashCleartext=*
  

---

If the attribute is not set : How do you set password-hash for OpenLDAP ?