[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4575) LDAPADD and Password

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4575) LDAPADD and Password
From: ando@sys-net.it
Date: Sat, 3 Jun 2006 14:58:34 GMT

On Fri, 2006-06-02 at 20:57 +0000, Charles.Golliday@netideasinc.com
wrote:

> Issue:  When importing a LDIF file, which contains an account with a SSHA,
> encrypted password OPENLDAP appears to hash the imported SSHA encrypted password
> to an unverifiable password when viewed with my LDAP Brower\Editor v 2.2.8.
> 
>       Also when importing a LDIF file, which contains accounts with SHA
> encrypted or Clear Text passwords, OpenLDAP appears to drop both options. In
> other words when viewing the imported accounts via my LDAP Brower, the user
> password option no long appears. 
> 
>      My expected results were that when importing a LDIF file using LDAPADD,
> OPENLDAP would recognize a SSHA or a SHA encrypted account and NOT HASH the
> current or imported password.  
> 
> Clear Text passwords I expected to be hashed and verifiable. (This works fine.)
> 
> 
> When using SLAPADD to import a LDIF file, I get the following results:
> 
> If it is a SSHA encrypted password Â I get the SSHA password
> If it is a SHA encrypted password Â I get a SHA password
> If it is a Clear Text password Â I get a Clear Text password
> 
> 
> Although SLAPADD gives me the results needed it is not ideal to us this command
> in a production environment because SLAPD is required to be â??Stoppedâ?? when
> using. 
> 
> Is there a way for LDAPADD to yield similar SHA/SSHA SLAPADD results? Perhaps I
> am doing something wrong if so please advice. 

It is not clear what behavior you expect.  In fact, if slapadd's
behavior is fine with you, it means that you don't need slapd to hash
cleartext userPasswords during add/modify.  Then, don't use
ppolicy_hash_cleartext.  Otherwise, can you please share with us example
values of SHA/SSHA that appear to be incorrectly hashed?  An example
LDIF file, and the corresponding output (better if obtained via
ldapadd/ldapsearch) would be appreciated.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: Re: (ITS#4574) require none doesn't work
Next by Date: Re: (ITS#4577) Berkley db version incompatible - while installing open ldap 2.3
Index(es):
- Chronological
- Thread