[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4837) SunLDAP to OpenLDAP migration problem

--On Thursday, February 08, 2007 5:12 PM +0000 rklein@deep-field.com wrote:

> Full_Name: Ruth Klein
> Version: 2.3.24
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> We want to migrate from using SunLDAP to using OpenLDAP. This involves
> migrating the existing user data from SunLDAP to OpenLDAP. We were able
> to do this successfully, however, we found an incompatibility in password
> encryption. Specifically:
> "The passwords from SunONE are stored in SSHA format. This means that
> for each password a salt has been generated. The password + salt is
> encoded using
> SHA1 algorithm. That encoded string + salt is stored in the password
> field.
> Both SunONE and OpenLDAP support SSHA, however, it seems that SunONE
> uses an 8 byte salt and OpenLDAP uses a 4 byte salt.
> So, when OpenLDAP looks at the password strings, it gets the wrong salt,
> and will fail to decode the password."
> We're therefore requesting that OpenLDAP provide an option for an 8 byte
> salt for the SSHA encryption that is compatible with the SunONE
> encryption. This will allow us to convert to OpenLDAP without requiring
> all of our users to reset their passwords. Thanks.

It should be as simple as changing:

passwd.c:#define     SALT_SIZE       4


passwd.c:#define     SALT_SIZE       8

One of the nice things about open source...

In any case, perhaps this should be considered an enhancement request for 
an option in slapd.conf to set the salt size there.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html