slappasswd Command in Linux: Generate OpenLDAP Password Hashes

slappasswd generates RFC 2307 password values for OpenLDAP userPassword attributes and the cn=config olcRootPW setting on RHEL-family LDAP servers.

Published

Updated

Read time 9 min read

Reviewed byDeepak Prasad

slappasswd Command in Linux: Generate OpenLDAP Password Hashes
About slappasswd generates RFC 2307 password values for OpenLDAP userPassword attributes and the cn=config olcRootPW setting on RHEL-family LDAP servers.
Tested on Rocky Linux 10.2; OpenLDAP 2.6.10; openldap-servers from EPEL
Package openldap-servers (apt/deb) · openldap-servers (dnf/rpm)
Man page slappasswd(8)
Privilege root
Distros RHEL-family with openldap-servers (EPEL)
Related guide

slappasswd — quick reference

Generate a password value

Create a value suitable for an LDAP userPassword attribute or olcRootPW; protect the resulting hash like a password.

When to use Command
Prompt securely for a password and emit the default {SSHA} value sudo slappasswd
Hash a known lab secret supplied on the command line sudo slappasswd -s 'LabPass123!'
Generate a random clear-text secret sudo slappasswd -g
Explicitly select the salted SHA-1 scheme sudo slappasswd -h '{SSHA}' -s 'LabPass123!'
Emit an RFC 2307 userPassword value (the current default) sudo slappasswd -u -s 'LabPass123!'
Read the secret from a protected file sudo slappasswd -T /root/ldap-secret.txt
Omit the trailing newline for scripting sudo slappasswd -n -s 'LabPass123!'

Hash schemes

OpenLDAP 2.6 on Rocky Linux 10.2 accepts several {SCHEME} prefixes. Prefer {SSHA} for new values.

When to use Command
Default salted SHA-1 (recommended for new hashes) sudo slappasswd -h '{SSHA}' -s 'LabPass123!'
Unsalted SHA-1 (legacy only) sudo slappasswd -h '{SHA}' -s 'LabPass123!'
MD5 (legacy only) sudo slappasswd -h '{MD5}' -s 'LabPass123!'
crypt(3) password sudo slappasswd -h '{CRYPT}' -s 'LabPass123!'
Control crypt salt format sudo slappasswd -h '{CRYPT}' -c 'salt' -s 'LabPass123!'

Set olcRootPW on the server

The database administrator password for your suffix lives in cn=config, not in the directory tree itself.

When to use Command
Generate a hash for olcRootPW sudo slappasswd
Discover the MDB database DN sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSuffix=dc=example,dc=com)" dn
Preview an olcRootPW LDIF change sudo ldapmodify -n -v -Q -Y EXTERNAL -H ldapi:/// -f configure-mdb.ldif
Apply the olcRootPW change over LDAPI sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f configure-mdb.ldif
Confirm the administrator bind afterward ldapwhoami -x -ZZ -H ldap://localhost -D "cn=admin,dc=example,dc=com" -W

Help

When to use Command
Show usage and supported options slappasswd -h
Print verbose scheme details sudo slappasswd -v -s 'LabPass123!'

slappasswd — command syntax

Synopsis from OpenLDAP 2.6:

text
/usr/sbin/slappasswd [-v] [-u] [-g|-s secret|-T file] [-h hash] [-c salt-format] [-n] [-o option[=value]]

Use one input method: -s, -g, or -T. -g and -h cannot be combined. Root is only needed when your server policy restricts the binary; use a protected terminal and avoid leaving clear-text secrets in shell history.


slappasswd — command examples

Essential Hash a lab password with the default scheme

Generate the value before setting a directory-manager password in a disposable lab. Quoting the secret prevents the shell from interpreting !.

bash
sudo slappasswd -s 'LabPass123!'

Sample output:

output
{SSHA}U/8zYVk9dI894n/rMTUzSej+5Q9vBw60

The {SSHA} prefix tells OpenLDAP how to verify the value; the random salt means another run produces a different hash for the same secret.

Essential Prompt instead of placing a secret in history

On a real server, omit -s so the password is entered at the prompt rather than recorded in the command history.

bash
sudo slappasswd

The program prompts twice and prints one hash after the values match. Paste that hash into the intended LDIF only; do not store the clear-text password beside it.

Common Make the RFC 2307 output explicit

Use -u when a script should state that it expects the RFC 2307 userPassword syntax, even though it is the current default.

bash
sudo slappasswd -u -s 'LabPass123!'

Sample output:

output
{SSHA}UfizA53Z7w2WfO0AuINU/5Q1mSZ96fV6

The output remains a scheme-tagged password value such as {SSHA}...; it is safe to place in userPassword, but is still sensitive credential material.

Common Select an SSHA scheme explicitly

Specify the scheme when documenting a controlled migration or when a configuration standard requires it.

bash
sudo slappasswd -h '{SSHA}' -s 'LabPass123!'

Sample output:

output
{SSHA}pOSTwXROas4ELWpRtFR780W01apTZRhx

The shell quotes {SSHA} so brace expansion cannot alter it. Avoid {SHA} and {MD5} for new deployments because they are older unsalted or weaker choices.

Common Compare legacy hash schemes

OpenLDAP 2.6.10 still generates older schemes when asked, but new userPassword and olcRootPW values should stay on {SSHA} or stronger policy.

bash
sudo slappasswd -h '{SHA}' -s 'LabPass123!'

Sample output:

output
{SHA}8JofvXi6CJmUQ0JvofnSRbp5Rfk=

The unsalted {SHA} form is deterministic for the same password, which is one reason salted schemes are preferred today.

Common Generate a random secret for a lab

-g emits a random clear-text secret, not a stored hash. Use it when another protected process will immediately consume the password.

bash
sudo slappasswd -g

Sample output:

output
sD3rxbQu

Treat the output as a password, not a hash. Do not use -g with -h; those flags are mutually exclusive.

Advanced Read a secret from a root-only file

For noninteractive automation, keep the input in a file readable only by root and let -T read its contents.

bash
sudo slappasswd -T /root/ldap-secret.txt

Sample output:

output
{SSHA}UiuLDzAZqkKIhb2jLhqNV3lO5z4ehCGm

The command hashes the file contents. Keep the file out of source control and remove it after a one-time bootstrap when possible.

Advanced Emit a hash without a trailing newline

-n is useful when a script captures stdout directly into an LDIF placeholder.

bash
sudo slappasswd -n -s 'LabPass123!'

Sample output:

output
{SSHA}d5QD9+1SOs2ZTU1nLZ4oHe9oOgcVI1oT

There is no newline after the hash, so $(sudo slappasswd -n -s 'secret') does not pick up an extra blank line in shell substitution.

Advanced Prepare an olcRootPW LDIF change

Set the suffix administrator hash in cn=config during OpenLDAP installation on RHEL. Discover $MDB_DN first, then paste the generated hash.

bash
HASH=$(sudo slappasswd -s 'LabPass123!')

Create configure-mdb.ldif with restrictive permissions:

bash
umask 077
cat > configure-mdb.ldif <<EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $HASH
EOF

Preview the change without applying it:

bash
sudo ldapmodify -n -v -Q -Y EXTERNAL -H ldapi:/// -f configure-mdb.ldif

Sample output:

output
replace olcRootPW:
	{SSHA}AmFq9NLKHDQalkf+z07R3d8Qv9YKtmig
!modifying entry "olcDatabase={2}mdb,cn=config"

Remove -n from ldapmodify only after the hash and target DN are correct.

Advanced Verify the new olcRootPW with ldapwhoami

After applying the LDIF, confirm the server accepts the administrator simple bind over StartTLS.

bash
ldapwhoami -x -ZZ -H ldap://localhost -D "cn=admin,dc=example,dc=com" -W

Sample output:

output
Enter LDAP Password:
dn:cn=admin,dc=example,dc=com

A successful dn: line proves the stored hash matches the password you typed at the prompt.


slappasswd — when to use / when not

Use slappasswd whenUse something else when
  • You need an OpenLDAP password value for userPassword or olcRootPW
  • You are preparing an LDIF change before applying it
  • You need a repeatable server-side hash workflow
  • You are bootstrapping olcRootDN credentials in cn=config
  • You need to change an existing LDAP user's password over LDAP → ldapmodify or ldappasswd
  • You need to inspect directory entries → ldapsearch
  • You need to confirm which identity is bound → ldapwhoami
  • You need TLS for simple binds → configure LDAP TLS before transmitting credentials

slappasswd vs ldappasswd

slappasswd ldappasswd
Primary job Creates a stored password value Changes a password through LDAP
Connection Does not contact the directory Binds to an LDAP server
Typical use Prepare olcRootPW or LDIF Reset an existing account password
Runs on LDAP server host Any host with openldap-clients

slappasswd does not update the directory by itself.


These commands cover the client change and server maintenance sides of the LDAP workflow.

Command One line
ldapsearch Query directory entries through LDAP.
ldapmodify Apply LDIF changes through LDAP.
ldapwhoami Confirm the authenticated identity after a password change.
slapcat Export an offline server database to LDIF.
slapadd Load LDIF into an offline server database.

Browse the full Linux commands cheat sheet reference.


slappasswd — interview corner

What does slappasswd do?

It creates a scheme-tagged password value for OpenLDAP configuration or LDAP entries. It does not connect to LDAP or change an entry.

A strong answer is:

"I use slappasswd to generate an RFC 2307 password value, then apply that value through a controlled LDIF change."

Why do two SSHA hashes differ for the same password?

{SSHA} includes a random salt, so equivalent passwords yield different stored values while still verifying correctly.

A strong answer is:

"The random salt prevents identical passwords from having identical hashes; both values can still verify the same password."

Why avoid slappasswd -s in production?

The secret can appear in shell history, process listings, or automation logs. An interactive prompt or protected file reduces that exposure.

A strong answer is:

"I avoid putting production passwords on the command line because command arguments can leak; I use an interactive prompt or tightly controlled secret handling."

Does a hashed userPassword remove the need for TLS?

No. A stored hash protects the directory copy; LDAP simple-bind credentials still need encrypted transport.

A strong answer is:

"Hashing protects storage, while TLS protects credentials in transit. A production LDAP deployment needs both considerations."

Where does olcRootPW belong?

It is stored on the MDB database entry under cn=config, separate from user entries in the suffix.

A strong answer is:

"olcRootPW authenticates olcRootDN for data operations; I change it with ldapmodify over LDAPI, not with a normal suffix bind."

What is the difference between slappasswd -g and -s?

-g prints a random clear-text password, while -s hashes a supplied secret into a scheme-tagged stored value.

A strong answer is:

"-g creates a disposable password I can hand to a user or script; -s creates the LDAP hash I actually store."


Troubleshooting

Symptom Likely cause Fix
! changes or expands in a command Secret was not safely quoted Use single quotes for a disposable lab secret, or omit -s.
-g with -h fails The flags are mutually exclusive Generate a secret separately or hash supplied input with -s/-T.
Password is exposed in history -s was used on a shared shell Rotate the secret and use prompt or protected-file input next time.
Bind still fails after setting a hash TLS, DN, ACL, or the applied LDIF is wrong Verify with ldapwhoami and review server logs.
Invalid credentials after olcRootPW change Wrong hash pasted or LDIF targeted the wrong database DN Re-read olcDatabase={n}mdb from cn=config and regenerate the hash.
{SHA} or {MD5} rejected by policy Server password policy requires salted schemes Regenerate with {SSHA} or the policy-mandated scheme.
Extra blank line in generated LDIF Default stdout includes a trailing newline Add -n when capturing output into a here-document or variable.
slappasswd: command not found on a client host Package is server-side Install openldap-servers on the LDAP host or hash on the server and copy only the value.

References

Rohan Timalsina

is a technical writer and Linux enthusiast who writes practical guides on Linux commands and system administration. He focuses on simplifying complex topics through clear explanations.