slappasswd — quick reference
Generate a password value
Create a value suitable for an LDAP userPassword attribute or olcRootPW; protect the resulting hash like a password.
| When to use | Command |
|---|---|
Prompt securely for a password and emit the default {SSHA} value |
sudo slappasswd |
| Hash a known lab secret supplied on the command line | sudo slappasswd -s 'LabPass123!' |
| Generate a random clear-text secret | sudo slappasswd -g |
| Explicitly select the salted SHA-1 scheme | sudo slappasswd -h '{SSHA}' -s 'LabPass123!' |
Emit an RFC 2307 userPassword value (the current default) |
sudo slappasswd -u -s 'LabPass123!' |
| Read the secret from a protected file | sudo slappasswd -T /root/ldap-secret.txt |
| Omit the trailing newline for scripting | sudo slappasswd -n -s 'LabPass123!' |
Hash schemes
OpenLDAP 2.6 on Rocky Linux 10.2 accepts several {SCHEME} prefixes. Prefer {SSHA} for new values.
| When to use | Command |
|---|---|
| Default salted SHA-1 (recommended for new hashes) | sudo slappasswd -h '{SSHA}' -s 'LabPass123!' |
| Unsalted SHA-1 (legacy only) | sudo slappasswd -h '{SHA}' -s 'LabPass123!' |
| MD5 (legacy only) | sudo slappasswd -h '{MD5}' -s 'LabPass123!' |
| crypt(3) password | sudo slappasswd -h '{CRYPT}' -s 'LabPass123!' |
| Control crypt salt format | sudo slappasswd -h '{CRYPT}' -c 'salt' -s 'LabPass123!' |
Set olcRootPW on the server
The database administrator password for your suffix lives in cn=config, not in the directory tree itself.
| When to use | Command |
|---|---|
Generate a hash for olcRootPW |
sudo slappasswd |
| Discover the MDB database DN | sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSuffix=dc=example,dc=com)" dn |
Preview an olcRootPW LDIF change |
sudo ldapmodify -n -v -Q -Y EXTERNAL -H ldapi:/// -f configure-mdb.ldif |
Apply the olcRootPW change over LDAPI |
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f configure-mdb.ldif |
| Confirm the administrator bind afterward | ldapwhoami -x -ZZ -H ldap://localhost -D "cn=admin,dc=example,dc=com" -W |
Help
| When to use | Command |
|---|---|
| Show usage and supported options | slappasswd -h |
| Print verbose scheme details | sudo slappasswd -v -s 'LabPass123!' |
slappasswd — command syntax
Synopsis from OpenLDAP 2.6:
/usr/sbin/slappasswd [-v] [-u] [-g|-s secret|-T file] [-h hash] [-c salt-format] [-n] [-o option[=value]]Use one input method: -s, -g, or -T. -g and -h cannot be combined. Root is only needed when your server policy restricts the binary; use a protected terminal and avoid leaving clear-text secrets in shell history.
slappasswd — command examples
Essential Hash a lab password with the default scheme
Generate the value before setting a directory-manager password in a disposable lab. Quoting the secret prevents the shell from interpreting !.
sudo slappasswd -s 'LabPass123!'Sample output:
{SSHA}U/8zYVk9dI894n/rMTUzSej+5Q9vBw60The {SSHA} prefix tells OpenLDAP how to verify the value; the random salt means another run produces a different hash for the same secret.
Essential Prompt instead of placing a secret in history
On a real server, omit -s so the password is entered at the prompt rather than recorded in the command history.
sudo slappasswdThe program prompts twice and prints one hash after the values match. Paste that hash into the intended LDIF only; do not store the clear-text password beside it.
Common Make the RFC 2307 output explicit
Use -u when a script should state that it expects the RFC 2307 userPassword syntax, even though it is the current default.
sudo slappasswd -u -s 'LabPass123!'Sample output:
{SSHA}UfizA53Z7w2WfO0AuINU/5Q1mSZ96fV6The output remains a scheme-tagged password value such as {SSHA}...; it is safe to place in userPassword, but is still sensitive credential material.
Common Select an SSHA scheme explicitly
Specify the scheme when documenting a controlled migration or when a configuration standard requires it.
sudo slappasswd -h '{SSHA}' -s 'LabPass123!'Sample output:
{SSHA}pOSTwXROas4ELWpRtFR780W01apTZRhxThe shell quotes {SSHA} so brace expansion cannot alter it. Avoid {SHA} and {MD5} for new deployments because they are older unsalted or weaker choices.
Common Compare legacy hash schemes
OpenLDAP 2.6.10 still generates older schemes when asked, but new userPassword and olcRootPW values should stay on {SSHA} or stronger policy.
sudo slappasswd -h '{SHA}' -s 'LabPass123!'Sample output:
{SHA}8JofvXi6CJmUQ0JvofnSRbp5Rfk=The unsalted {SHA} form is deterministic for the same password, which is one reason salted schemes are preferred today.
Common Generate a random secret for a lab
-g emits a random clear-text secret, not a stored hash. Use it when another protected process will immediately consume the password.
sudo slappasswd -gSample output:
sD3rxbQuTreat the output as a password, not a hash. Do not use -g with -h; those flags are mutually exclusive.
Advanced Read a secret from a root-only file
For noninteractive automation, keep the input in a file readable only by root and let -T read its contents.
sudo slappasswd -T /root/ldap-secret.txtSample output:
{SSHA}UiuLDzAZqkKIhb2jLhqNV3lO5z4ehCGmThe command hashes the file contents. Keep the file out of source control and remove it after a one-time bootstrap when possible.
Advanced Emit a hash without a trailing newline
-n is useful when a script captures stdout directly into an LDIF placeholder.
sudo slappasswd -n -s 'LabPass123!'Sample output:
{SSHA}d5QD9+1SOs2ZTU1nLZ4oHe9oOgcVI1oTThere is no newline after the hash, so $(sudo slappasswd -n -s 'secret') does not pick up an extra blank line in shell substitution.
Advanced Prepare an olcRootPW LDIF change
Set the suffix administrator hash in cn=config during OpenLDAP installation on RHEL. Discover $MDB_DN first, then paste the generated hash.
HASH=$(sudo slappasswd -s 'LabPass123!')Create configure-mdb.ldif with restrictive permissions:
umask 077
cat > configure-mdb.ldif <<EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $HASH
EOFPreview the change without applying it:
sudo ldapmodify -n -v -Q -Y EXTERNAL -H ldapi:/// -f configure-mdb.ldifSample output:
replace olcRootPW:
{SSHA}AmFq9NLKHDQalkf+z07R3d8Qv9YKtmig
!modifying entry "olcDatabase={2}mdb,cn=config"Remove -n from ldapmodify only after the hash and target DN are correct.
Advanced Verify the new olcRootPW with ldapwhoami
After applying the LDIF, confirm the server accepts the administrator simple bind over StartTLS.
ldapwhoami -x -ZZ -H ldap://localhost -D "cn=admin,dc=example,dc=com" -WSample output:
Enter LDAP Password:
dn:cn=admin,dc=example,dc=comA successful dn: line proves the stored hash matches the password you typed at the prompt.
slappasswd — when to use / when not
| Use slappasswd when | Use something else when |
|---|---|
|
|
slappasswd vs ldappasswd
| slappasswd | ldappasswd | |
|---|---|---|
| Primary job | Creates a stored password value | Changes a password through LDAP |
| Connection | Does not contact the directory | Binds to an LDAP server |
| Typical use | Prepare olcRootPW or LDIF |
Reset an existing account password |
| Runs on | LDAP server host | Any host with openldap-clients |
slappasswd does not update the directory by itself.
Related commands
These commands cover the client change and server maintenance sides of the LDAP workflow.
| Command | One line |
|---|---|
| ldapsearch | Query directory entries through LDAP. |
| ldapmodify | Apply LDIF changes through LDAP. |
| ldapwhoami | Confirm the authenticated identity after a password change. |
| slapcat | Export an offline server database to LDIF. |
| slapadd | Load LDIF into an offline server database. |
Browse the full Linux commands cheat sheet reference.
slappasswd — interview corner
What does slappasswd do?
It creates a scheme-tagged password value for OpenLDAP configuration or LDAP entries. It does not connect to LDAP or change an entry.
A strong answer is:
"I use slappasswd to generate an RFC 2307 password value, then apply that value through a controlled LDIF change."
Why do two SSHA hashes differ for the same password?
{SSHA} includes a random salt, so equivalent passwords yield different stored values while still verifying correctly.
A strong answer is:
"The random salt prevents identical passwords from having identical hashes; both values can still verify the same password."
Why avoid slappasswd -s in production?
The secret can appear in shell history, process listings, or automation logs. An interactive prompt or protected file reduces that exposure.
A strong answer is:
"I avoid putting production passwords on the command line because command arguments can leak; I use an interactive prompt or tightly controlled secret handling."
Does a hashed userPassword remove the need for TLS?
No. A stored hash protects the directory copy; LDAP simple-bind credentials still need encrypted transport.
A strong answer is:
"Hashing protects storage, while TLS protects credentials in transit. A production LDAP deployment needs both considerations."
Where does olcRootPW belong?
It is stored on the MDB database entry under cn=config, separate from user entries in the suffix.
A strong answer is:
"olcRootPW authenticates olcRootDN for data operations; I change it with ldapmodify over LDAPI, not with a normal suffix bind."
What is the difference between slappasswd -g and -s?
-g prints a random clear-text password, while -s hashes a supplied secret into a scheme-tagged stored value.
A strong answer is:
"-g creates a disposable password I can hand to a user or script; -s creates the LDAP hash I actually store."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
! changes or expands in a command |
Secret was not safely quoted | Use single quotes for a disposable lab secret, or omit -s. |
-g with -h fails |
The flags are mutually exclusive | Generate a secret separately or hash supplied input with -s/-T. |
| Password is exposed in history | -s was used on a shared shell |
Rotate the secret and use prompt or protected-file input next time. |
| Bind still fails after setting a hash | TLS, DN, ACL, or the applied LDIF is wrong | Verify with ldapwhoami and review server logs. |
Invalid credentials after olcRootPW change |
Wrong hash pasted or LDIF targeted the wrong database DN | Re-read olcDatabase={n}mdb from cn=config and regenerate the hash. |
{SHA} or {MD5} rejected by policy |
Server password policy requires salted schemes | Regenerate with {SSHA} or the policy-mandated scheme. |
| Extra blank line in generated LDIF | Default stdout includes a trailing newline | Add -n when capturing output into a here-document or variable. |
slappasswd: command not found on a client host |
Package is server-side | Install openldap-servers on the LDAP host or hash on the server and copy only the value. |
References
- OpenLDAP slappasswd(8) manual{: target="_blank" rel="noopener" }
- RFC 2307 — LDAP password schemes{: target="_blank" rel="noopener" }
- Install and configure OpenLDAP on RHEL Linux
- Configure cn=config with the MDB backend
- ldapwhoami command cheat sheet
