Provided by: slapd-contrib_2.5.13+dfsg-1ubuntu1_amd64 bug


       slapd-pw-pbkdf2 - PBKDF2 password module to slapd



              moduleload pw-pbkdf2


       The  pw-pbkdf2  module  to  slapd(8)  provides  support  for the use of the key stretching
       function PBKDF2 (Password-Based Key Derivation Function 2) following RFC  2898  in  hashed
       passwords in OpenLDAP.

       It does so by providing the following additional password schemes for use in slapd:

                     alias to {PBKDF2-SHA1}

                     PBKDF2 using HMAC-SHA-1 as the underlying pseudorandom function

                     PBKDF2 using HMAC-SHA-256 as the underlying pseudorandom function

                     PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function


       The pw-pbkdf2 module does not need any configuration.

       After  loading  the module, the password schemes {PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256},
       and {PBKDF2-SHA512} will be recognised in values of the userPassword attribute.

       You can then instruct OpenLDAP to use these schemes when processing  the  LDAPv3  Password
       Modify (RFC 3062) extended operations by using the password-hash option in slapd.conf(5).


       If  you  want  to  use the schemes described here with slappasswd(8), remember to load the
       module using its command line options.  The relevant option/value is:

              -o module-load=pw-pbkdf2

       Depending on pw-pbkdf2's location, you may also need:

              -o module-path=pathspec


       All of the userPassword LDAP attributes below encode the password 'secret'.

       userPassword: {PBKDF2-SHA512}10000$/oQ4xZi382mk7kvCd3ZdkA$2wqjpuyV2l0U/a1QwoQPOtlQL.UcJGNACj1O24balruqQb/NgPW6OCvvrrJP8.SzA3/5iYvLnwWPzeX8IK/bEQ

       userPassword: {PBKDF2-SHA256}10000$jq40ImWtmpTE.aYDYV1GfQ$mpiL4ui02ACmYOAnCjp/MI1gQk50xLbZ54RZneU0fCg

       userPassword: {PBKDF2-SHA1}10000$QJTEclnXgh9Cz3ChCWpdAg$9.s98jwFJM.NXJK9ca/oJ5AyoAQ

       To make {PBKDF2-SHA512} the password hash used in  Password  Modify  extended  operations,
       simply set this line in slapd.conf(5):

       password-hash   {PBKDF2-SHA512}


       slapd.conf(5), ldappasswd(1), slappasswd(8), ldap(3),

       "OpenLDAP Administrator's Guide" (


       This  manual  page  has  been written by Peter Marschall based on the module's README file
       written by HAMANO Tsukasa <>

       OpenLDAP is developed and maintained by The OpenLDAP  Project  (
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.