Re: SSHA encryption and migration from 2.0 to 2.2

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Though I find it odd you choose to upgrade from one historic
version to another historic version... the following issue
applies even if you were moving to a modern version...

Modern versions of slapd(8) (unlike some very old versions)
require anonymous to have "auth" access to userPassword for
its values to be used in authentication.

- Kurt

At 11:24 AM 3/2/2006, Darrell Swoap wrote:
>My organization currently uses several OpenLDAP 2.0 server for  
>purposes of authenticating users against a centralized database.   
>Users in the directory currently have a mix of encryption schemes for  
>their userPassword attributes (MD5 and SSHA) which works fine at the  
>moment.  When  using slapcat and slapadd to populate a new OpenLDAP  
>2.2 server, binds for users with an MD5 encrypted password continue  
>to work, but users with an SSHA encrypted password fail to bind and  
>receive the "invalid credentials" error.
>
>These symptoms occur when doing a bind in association with an  
>ldapsearch.  That is, binding with a dn whose entry contains an MD5- encrypted userPassword attribute works, but the bind fails when the  
>entry contains an SSHA-encrypted userPassword attribute.  Also, this  
>affects OpenLDAP 2.2 server packages for both RedHat EL3/4 and Debian  
>Sarge.  (Note that I'm using pre-packaged software rather than  
>software from source.)
>
>Interestingly, the "rootpw" in slapd.conf is encrypted SSHA, and I  
>can bind as the rootdn user just fine.
>
>Thanks in advance for any suggestions or information,
>
>Darrell Swoap