diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index f9f25de652..e1fb332505 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -44,7 +44,7 @@ int		global_idletimeout = 0;
 char	*global_host = NULL;
 char	*global_realm = NULL;
 char		*ldap_srvtab = "";
-char		*default_passwd_hash;
+char		*default_passwd_hash = NULL;
 struct berval default_search_base = { 0, NULL };
 struct berval default_search_nbase = { 0, NULL };
 unsigned		num_subordinates = 0;
@@ -520,10 +520,23 @@ read_config( const char *fname )
 
 				return 1;
 
-			} else {
-				default_passwd_hash = ch_strdup( cargv[1] );
 			}
 
+			if ( lutil_passwd_scheme( cargv[1] ) == NULL ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+					   "%s: line %d: password scheme \"%s\" not available\n",
+					   fname, lineno, cargv[1] ));
+#else
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: password scheme \"%s\" not available\n",
+					fname, lineno, cargv[1] );
+#endif
+				return 1;
+			}
+
+			default_passwd_hash = ch_strdup( cargv[1] );
+
 		} else if ( strcasecmp( cargv[0], "password-crypt-salt-format" ) == 0 ) 
 		{
 			if ( cargc < 2 ) {
diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index 90ac1d3bbf..147c9b41f6 100644
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -314,6 +314,7 @@ slap_passwd_hash(
 #endif
 
 	tmp = lutil_passwd_hash( cred , hash );
+	assert( tmp != NULL );
 	
 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
 	ldap_pvt_thread_mutex_unlock( &passwd_mutex );