> dsconf slapd-YOUR_INSTANCE directory_manager password_change --> this
> will prompt you for the new password
That did the trick, thanks a lot!
It also made me curious how the actual format for 'nsslapd-rootpw' was and it
turns out I wasn't off with '{crypt}$6$...':
# dsconf localhost config get | grep rootpw
nsslapd-rootpw:
{crypt}.mR.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/
nsslapd-rootpwstoragescheme: CRYPT-SHA512
However, I noticed that the hash was not what I fed into dsconf. So it turns
out that one _can_ set the rootpw through dsconf but it has to be in plain text:
# dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512
nsslapd-rootpw="secret"
Successfully replaced "nsslapd-rootpwstoragescheme"
Successfully replaced "nsslapd-rootpw"
# dsconf localhost config get | grep rootpw
nsslapd-rootpw:
{crypt}$6$bW$Gea8I1Xoi.zkkGWBvrIxIm41G3/90hX2L4H3hMt18js7VzkT14YNuNtY4Ueao181O/MfPuPn4TmyQFcGZIThI.
nsslapd-rootpwstoragescheme: CRYPT-SHA512
Since I'd like to change the password non-interactively this seems a bit easier
than fiddling around with 'dsconf slapd-YOUR_INSTANCE directory_manager
password_change' which doesn't seem to have an option to read the password from
stdin?
I did some more research and switching from PBKDF2_SHA256 to CRYPT-SHA512
probably has no significant security benefit anyway so in the end this was a
bit of an academic exercise. If someone has an opinion on that, I'd be
interested to hear that though.
Thanks again Mark for your quick help.
Cheers!
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
