Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools

[charlie derr <cderr@simons-rock.edu>]

I'm relatively sure that this is part of the same issue I struggled with a while back.  Someone pointed me at an old post (from 1999) which contained the fix. 
http://www.openldap.org/lists/openldap-software/200103/msg00125.html   It involves changing the order of the included libs when you compile openldap.

Here's a paste of the content of that post:


Thus spake Kurt D. Zeilenga:

> I believe there was an OpenLDAP ITS filed and closed.  It's not really
> an OpenLDAP issue.  We just use the crypt(3) the linker provides (based
> upon user provided configuration information).  Other than avoiding
> {crypt} passwords (which are not portable) as crypt(3) differs widely
> from system to system, I suggest modifying OpenSSL not to provide
> crypt(3) on systems which provide one themselves.

I can see why you'd think that.  It looks like OpenSSL 0.9.6 supports MD5
passwords now to; I see in the change log:

 *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
     [Bodo Moeller]

Anyhow, I made this simple patch that moves $(LUTIL_LIBS) ahead of
$(SECURITY_LIBS), in case anyone else is searching the archives for a
solution to the same problem.

Wil
--
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
                -- H.L. Mencken

--- ./servers/slapd/Makefile.in.orig    Thu Mar  8 15:57:24 2001
+++ ./servers/slapd/Makefile.in Thu Mar  8 16:02:35 2001
@@ -43,8 +43,9 @@
 # $(LTHREAD_LIBS) must be last
 XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber
 XXLIBS = $(LDBM_LIBS) $(SLAPD_LIBS) \
+        $(LUTIL_LIBS) \
         $(SECURITY_LIBS) \
-        $(LDIF_LIBS) $(LUTIL_LIBS)
+        $(LDIF_LIBS)
 XXXLIBS = $(LTHREAD_LIBS) $(MODULES_LIBS)

 BUILD_OPT = "--enable-slapd"


Harry Rüter wrote:
> Hi,
>
>
> > Hi,
> >
> >
> > I've got a big problem to migrate md5 passwords from shadow file to
> > OpenLdap.
> >
> > I run OpenLdap 2.0.25 on a gentoo 1.2 distribution and use
> > MigrationsTools-44 .
> >
> > My password into shadow file is : $1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
>
>
> Is it really the entry from /etc/shadow or is it what
> the Migrationtools "generates" ?
>
>
> > When migrating it into ldap, userPassword is :
> > {crypt}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
>
>
> Seems you have (i think) DefaultHASH {crypt},
> or the Migrationtools do have ...
>
>
> > And Binding doesn't work.
>
>
> Sure.
>
>
> > I tryed to change this by {MD5}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1, but
> > it doesn't work too.
> > So I used GQ (gtk front end to ldap) and and generate the same password
> > into md5. It given : {MD5}CY9rzUYh03PK3k6DJie09g==
> > And it works!!!
>
>
> Try to look, how the entry now looks like (with ldapsearch). 
> It will be base64-encoded and maybe looks like 
> "$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1".
>
> Seems to be a problem of the Migrationtools i'd say ...
>
>
> > But what happened? The two md5 passwords seem to doesn't have the same
> > form composition.
>
>
> Yes, because obviously the first one isn't really the MD5-hash
> of your password , as the algorithm guarantees that
> the same input generates the same md5hashed output  !!!
>
>
> > --
> > Frédéric Gaudy - Gestionnaire NTIC
>
>
> Greets Harry