''ssha'', or salted [sha] is a password encryption method for [LDAP], see the OpenLDAP
https://www.openldap.org/faq/data/cache/347.html%|%Faq-O-Matic%|% page for details.

To create an LDAP SSHA password entry in Tcl do something along the following lines:

======
package require sha1
proc ldapPasswordStringSSHA clear {
    # return ldap password string from clear, generated with SSHA

    set salt [getSalt 4]
    set salted [sha1::sha1 -bin ${clear}${salt}]
    return "{SSHA}[binary encode base64 ${salted}${salt}]"
}
proc getSalt n {
    # return a random string with length n

    set fd [open /dev/random]
    set salt [read $fd $n]
    close $fd
    return $salt
}
======

Notes:

   * This example requires [Tcllib] to be installed
   * base64 encoding is done using [Tcl 8.6] features - see [base64] for alternatives
   * `/dev/random` is a magic file on *nix* like operating systems, yielding random bytes when read. Replace with any suitable source of cryptographically strong randomness.
   * OpenLDAP claims that SSHA is defined in RFC 3112, but I could not confirm that. Only SHA is mentioned there.