[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4837) SunLDAP to OpenLDAP migration problem
--On Thursday, February 08, 2007 5:12 PM +0000 rklein@deep-field.com wrote:
> Full_Name: Ruth Klein
> Version: 2.3.24
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (71.247.247.122)
>
>
> We want to migrate from using SunLDAP to using OpenLDAP. This involves
> migrating the existing user data from SunLDAP to OpenLDAP. We were able
> to do this successfully, however, we found an incompatibility in password
> encryption. Specifically:
>
> "The passwords from SunONE are stored in SSHA format. This means that
> for each password a salt has been generated. The password + salt is
> encoded using
> SHA1 algorithm. That encoded string + salt is stored in the password
> field.
> Both SunONE and OpenLDAP support SSHA, however, it seems that SunONE
> uses an 8 byte salt and OpenLDAP uses a 4 byte salt.
>
> So, when OpenLDAP looks at the password strings, it gets the wrong salt,
> and will fail to decode the password."
>
> We're therefore requesting that OpenLDAP provide an option for an 8 byte
> salt for the SSHA encryption that is compatible with the SunONE
> encryption. This will allow us to convert to OpenLDAP without requiring
> all of our users to reset their passwords. Thanks.
It should be as simple as changing:
passwd.c:#define SALT_SIZE 4
to
passwd.c:#define SALT_SIZE 8
One of the nice things about open source...
In any case, perhaps this should be considered an enhancement request for
an option in slapd.conf to set the salt size there.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html