Add support for SSHA password hashing, and use it if possible

ldap-server/edit_ldif.cgi

@@ -33,6 +33,10 @@ elsif ($rootpw =~ /^{sha1}(.*)/i) {
 	$rootmode = 2;
 	$rootsha1 = $1;
 	}
+elsif ($rootpw =~ /^{ssha}(.*)/i) {
+	$rootmode = 4;
+	$rootssha = $1;
+	}
 elsif ($rootpw =~ /^{[a-z0-9]+}(.*)/i) {
 	$rootmode = 3;
 	$rootenc = $rootpw;
@@ -47,6 +51,7 @@ print &ui_table_row($text{'slapd_rootpw'},
 		    $rootmode == 1 ? &text('slapd_root1', $rootcrypt) :
 		    $rootmode == 2 ? &text('slapd_root2', $rootsha1) :
 		    $rootmode == 3 ? &text('slapd_root3', $rootenc) :
+		    $rootmode == 4 ? &text('slapd_root4', $rootssha) :
 		    $rootplain eq '' ? $text{'slapd_noroot'} :
 				     $rootplain);
 

ldap-server/edit_slapd.cgi

@@ -32,6 +32,10 @@ elsif ($rootpw =~ /^{sha1}(.*)/i) {
 	$rootmode = 2;
 	$rootsha1 = $1;
 	}
+elsif ($rootpw =~ /^{ssha}(.*)/i) {
+	$rootmode = 4;
+	$rootssha = $1;
+	}
 elsif ($rootpw =~ /^{[a-z0-9]+}(.*)/i) {
 	$rootmode = 3;
 	$rootenc = $rootpw;
@@ -46,6 +50,7 @@ print &ui_table_row($text{'slapd_rootpw'},
 		    $rootmode == 1 ? &text('slapd_root1', $rootcrypt) :
 		    $rootmode == 2 ? &text('slapd_root2', $rootsha1) :
 		    $rootmode == 3 ? &text('slapd_root3', $rootenc) :
+		    $rootmode == 4 ? &text('slapd_root4', $rootssha) :
 		    $rootplain eq '' ? $text{'slapd_noroot'} :
 				     $rootplain);
 

ldap-server/lang/en

@@ -39,6 +39,7 @@ slapd_rootpw=Administration password
 slapd_root1=Unix encrypted <tt>$1</tt>
 slapd_root2=SHA1 encrypted <tt>$1</tt>
 slapd_root3=Encrypted <tt>$1</tt>
+slapd_root4=SSHA encrypted <tt>$1</tt>
 slapd_noroot=<i>No password set</i>
 slapd_rootchange=New administration password
 slapd_leave=Don't change

ldap-server/ldap-server-lib.pl

@@ -942,5 +942,24 @@ foreach my $f (@ldap_lock_files) {
 @ldap_lock_files = ( );
 }
 
+# hash_ldap_password(pass)
+# Returns a password hashed in a format the LDAP server can accept in the config
+# file, with the appropriate prefix
+sub hash_ldap_password
+{
+my ($pass) = @_;
+my $rv;
+if (&has_command("slappasswd")) {
+	$rv = &backquote_command("slappasswd -s ".quotemeta($pass)." 2>/dev/null </dev/null");
+	$rv =~ s/\s+//g;
+	}
+if (!$rv) {
+	&seed_random();
+	my $salt = chr(int(rand(26))+65).chr(int(rand(26))+65);
+	$rv = "{crypt}".&unix_crypt($pass, $salt);
+	}
+return $rv;
+}
+
 1;
 

ldap-server/save_ldif.cgi

@@ -24,8 +24,8 @@ $in{'rootdn'} =~ /=/ || &error($text{'slapd_erootdn'});
 # Admin password
 if (!$in{'rootchange_def'}) {
 	$in{'rootchange'} =~ /\S/ || &error($text{'slapd_erootpw'});
-	$crypt = &unix_crypt($in{'rootchange'}, substr(time(), -2));
-	&save_ldif_directive($conf, 'olcRootPW', $defdb, "{crypt}".$crypt);
+	&save_ldif_directive($conf, 'olcRootPW', $defdb,
+			     &hash_ldap_password($in{'rootchange'}));
 	$config{'pass'} = $in{'rootchange'};
 	$save_config = 1;
 	}

ldap-server/save_slapd.cgi

@@ -23,8 +23,8 @@ $in{'rootdn'} =~ /=/ || &error($text{'slapd_erootdn'});
 # Admin password
 if (!$in{'rootchange_def'}) {
 	$in{'rootchange'} =~ /\S/ || &error($text{'slapd_erootpw'});
-	$crypt = &unix_crypt($in{'rootchange'}, substr(time(), -2));
-	&save_directive($conf, 'rootpw', "{crypt}".$crypt);
+	&save_directive($conf, 'rootpw',
+			&hash_ldap_password($in{'rootchange'}));
 	$config{'pass'} = $in{'rootchange'};
 	$save_config = 1;
 	}