Quanah,
You are right about SHA256: Somehow the extra "S" seems to got loast during my
experiments 😉
Anyway I found the problem, and it might reveal another bug in the OpenLDAP
server I am using:
When adding olcPasswordHash to olcDatabase={-1}frontend,cn=config had failed, I
simply added it to cn=config (where it succeeded).
However the correct fix was to add the missing "objectClass: olcFrontendConfig"
to olcDatabase={-1}frontend,cn=config, and then add the " olcPasswordHash:
{SSHA256}" to olcDatabase={-1}frontend,cn=config. Then salpcat also does not
complain.
I thought I'll write this for others.
Why slapd allowed to add the attribute to cn=config II cannot explain, sorry.
The frontend database missing olcFrontendConfig had never been a problem so far.
Unfortunately ldapmodify resuses to add the missing objectclass; only
slapmodify would do.
ldap_modify: Server is unwilling to perform (53)
additional info: objectclass modification disallowed
Kind regards,
Ulrich Windl
> -----Original Message-----
> From: Quanah Gibson-Mount <[email protected]>
> Sent: Tuesday, April 22, 2025 5:44 PM
> To: Windl, Ulrich <[email protected]>; [email protected]
> Subject: [EXT] Re: slapcat compains "scheme not available" after using
> "olcPasswordHash: sha256"
>
>
>
> --On Tuesday, April 22, 2025 2:07 PM +0000 "Windl, Ulrich" <[email protected]>
> wrote:
>
> >
> >
> > Hi!
> >
> >
> >
> > Using OpenLDAP 2.5 from SLES15 SP6 I added "olcPasswordHash: sha256"
> > ("olcPasswordHash: {sha256}") to cn=config (I wanted to add it to the
> > {-1}frontend database, but slapd refused.
> >
> > I was able to set {SHA256} RootPWs, but now when I try slapcat, I get an
> > error saying:
> >
> > Is it my error, or slapcat's?
>
> If you didn't add pw-sha2 as a moduleload to the server configuration, then
> it would be your error, and based on the output, that appears to be the
> case. I would additionally note that it's a very bad idea to use SHA256,
> SSHA256 would be significantly better since then it is salted.
>
> --Quanah
>
