[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Converting userPassword Types?

To: Hugh MacMullan <hugh@macmullan.org>, openldap-software@OpenLDAP.org
Subject: Re: Converting userPassword Types?
From: Rob Tanner <rtanner@cheshire.onlinemac.com>
Date: Fri, 05 Jan 2001 12:58:31 -0800
In-reply-to: <3A562C4C.F48CFCD4@macmullan.org>

Nope, thank heavens.  Those are all one-way encryption algorythms.  Otherwsie, if you could from one encryption mechanism directly into another, you could just as easily convert from any one of them into plain text (woops!!).

The easiest solution is to encourage users to change their passwords. That way you can grab a plaintext version and encrypt it however you like.

One trick you might try is to keep the crypt password and make provision for an MD5 or SHA mechanism. Then, depending on what services you have control over, add an arbitray delay for those who have not changed their password. That's the same type of mechanism as is built into the CMU IMAP server (and commercial derivatives) to encourage end-users to switch to mail clients that support mechanisms such as digest-md5 authentication. The reason behind the delay is slightly different, but the purpose of the delay itself is to provide a sort of gentle encouragement.

-- Rob

--On Friday, January 05, 2001 03:19:24 PM -0500 Hugh MacMullan <hugh@macmullan.org> wrote:

Folks:

I'm VERY new to ldap ... I've managed to get my Apache 1.3.12 (RH 6.2)
webservers authenticating with multiple ldap servers (auth_ldap-1.4.0-2 &
openldap-1.2.9-5, both of which came with RH 6.2).

Here's the question:

Okay, I used an old password file from a Netscape server, that had CRYPT
encryption on the passwords, and munged them into a .ldif file like so:

joe:asdkdSDLKFHdkd
becomes:

dn: cn=joe, dc=macmullan, dc=org
objectclass: person
uid: joe
userPassword: {crypt}asdkdSDLKFHdkd

This works just fine (even on a remote system!  Woohoo!) ... but I'd like
to know if there's a way to convert these crypt passwords to SHA or MD5
for better transportability.

Any ideas?

--Hugh

      _ _ _ _           _    _ _ _ _ _
     /\_\_\_\_\        /\_\ /\_\_\_\_\_\
    /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
   /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
  /\/_/_/_/_/ /\_\  /\/_/    /\/_/
 /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
 \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)

 Rob Tanner
 McMinnville, Oregon
 rtanner@cheshire.onlinemac.com

Attachment: pgp2hEpN4Pabh.pgp
Description: PGP signature

Follow-Ups:
- Re: Converting userPassword Types?
  - From: Hugh MacMullan <hugh@macmullan.org>

References:
- Converting userPassword Types?
  - From: Hugh MacMullan <hugh@macmullan.org>

Prev by Date: Re: Converting userPassword Types?
Next by Date: Re: Converting userPassword Types?
Index(es):
- Chronological
- Thread