Provided by: slapd-contrib_2.5.13+dfsg-1ubuntu1_amd64 bug


       slapd-pw-sha2 - SHA-2 password module to slapd



              moduleload pw-sha2


       The  pw-sha2  module  to  slapd(8)  provides  support  for  the use of SSHA-512, SSHA-384,
       SSHA-256, SHA-512, SHA-384 and  SHA-256  from  the  SHA-2  family  (FIPS  180-2)  of  hash
       functions in hashed passwords in OpenLDAP.

       It does so by providing the following additional password schemes for use in slapd:

                     SHA-256 with salt, giving hash values of 256 bits length

                     plain SHA-256 giving hash values of 256 bits length

                     SHA-384 with salt, giving hash values of 384 bits length

                     plain SHA-384 giving hash values of 384 bits length

                     SHA-512 with salt, giving hash values of 512 bits length

                     plain SHA-512 giving hash values of 512 bits length


       The pw-sha2 module does not need any configuration.

       After loading the module, the password schemes {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256},
       {SHA384}, and {SHA512} will be recognised in values of the userPassword attribute.

       You can then instruct OpenLDAP to use these schemes when processing  the  LDAPv3  Password
       Modify (RFC 3062) extended operations by using the password-hash option in slapd.conf(5).


       If you want to use the schemes described here with slappasswd(8), don't forget to load the
       module using its command line options.  The relevant option/value is:

              -o module-load=pw-sha2

       Depending on pw-sha2's location, you may also need:

              -o module-path=pathspec


       All of the userPassword LDAP attributes below encode the password 'secret'.

       userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==

       userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt

       userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

       To make {SSHA512} the password hash used in Password Modify  extended  operations,  simply
       set this line in slapd.conf(5):

       password-hash   {SSHA512}


       slapd.conf(5), ldappasswd(1), slappasswd(8), ldap(3),

       "OpenLDAP Administrator's Guide" (


       This  manual  page  has  been written by Peter Marschall based on the module's README file
       written by Jeff Turner.

       OpenLDAP is developed and maintained by The OpenLDAP  Project  (
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.