[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MigrationTools-40 and encrypted passwords

To: openldap-software@OpenLDAP.org
Subject: Re: MigrationTools-40 and encrypted passwords
From: charlie derr <cderr@simons-rock.edu>
Date: Wed, 17 Apr 2002 16:32:31 -0400
References: <GHEDJOLBFKDBGFAMCHAOEEJCCBAA.Markus.Preller@t-online.de>

Hi Markus, 
	Thank you for the reply.  I'm using debian linux (woody), so it *should* work, like you say.  But i
haven't been able to make it happen yet.

Here's an entry from my /etc/shadow (the password is tarbaby):


tester:$1$9qd8QTk2$6HC51g/B7qcwWci5qBil70:11794:0:99999:7::


after importing into the directory slapcat shows me:

dn: uid=tester,ou=People,dc=simons-rock,dc=edu
uid: tester
cn: tester
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJDlxZDhRVGsyJDZIQzUxZy9CN3Fjd1djaTVxQmlsNzA=
shadowLastChange: 11794
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/tester
gecos: ,,,
creatorsName: cn=admin,dc=simons-rock,dc=edu
createTimestamp: 20020417201617Z
modifiersName: cn=admin,dc=simons-rock,dc=edu
modifyTimestamp: 20020417201617Z

(i assume that the userPassword entry is the bas64 encoding of the shadow entry)

and using the novell java code (from the openldap.org site) i get the following when searching as
admin:

ni@cderr2:~$ java Search cderr6.simons-rock.edu "cn=admin,dc=simons-rock,dc=edu" <admin-pass>
"ou=People,dc=simons-rock,dc=edu" "uid=tester"

	
uid=tester,ou=People,dc=simons-rock,dc=edu
	Attributes: 
		uid
			tester
		cn
			tester
		objectClass
			account
			posixAccount
			top
			shadowAccount
		userPassword
			{crypt}$1$9qd8QTk2$6HC51g/B7qcwWci5qBil70
		shadowLastChange
			11794
		shadowMax
			99999
		shadowWarning
			7
		loginShell
			/bin/bash
		uidNumber
			1004
		gidNumber
			1004
		homeDirectory
			/home/tester
		gecos
			,,,




Yet i still can't *use* that value:


ni@cderr2:~$ java Search cderr6.simons-rock.edu "uid=tester,ou=People,dc=simons-rock,dc=edu" tarbaby
"ou=People,dc=simons-rock,dc=edu" "uid=tester"
Error: com.novell.ldap.LDAPException: Invalid Credentials : (49) Invalid Credentials




Anyone have a suggestion?




Markus Preller wrote:
> 
> Hi,
> 
> what kind of unix are you talking about ?
> 
> Linux, Solaris, HP-UX, some kind of BSD ...
> 
> I'm asking that because some systems handle things
> slightly different but in case of Linux and Solaris
> you should have no trouble with the standard crypt
> format.
> 
> At least for me the standard crypt format is working
> fine when I move users from a Solaris/Linux box into
> my directory.
> 
> best regards
> 
> Markus Preller
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of charlie derr
> > Sent: Wednesday, April 17, 2002 9:51 PM
> > To: openldap-software@OpenLDAP.org
> > Subject: Re: MigrationTools-40 and encrypted passwords
> >
> >
> > Thank you for the quick response.
> >
> > I've tried editing the perl script (so that it writes {md5} instead of
> > {crypt} -- to be sure, i tried {MD5} as well), but that didn't work.  I
> > also tried manually removing the "$1$" from each entry (obviously i'm
> > guessing here..), but no luck with that either.  The encrypted hash is
> > getting copied over just fine (I can verify this by seeing that the
> > userPassword entry is identical to the one in /etc/shadow). I don't
> > think this is a base64 encoding issue, because a command line query will
> > show a different value (the base64 encoded version of the password).
> > Does anyone know what might be causing the problem, or have any more
> > information on how md5 interacts with openldap?
> >
> >       thanx again,
> >               ~c
> >
> >
> >
> > Adam Williams wrote:
> > >
> > > >I am working on getting nss and pam ldap working, and am
> > making good progress.  One problem seems to
> > > >be when i use these MigrationTools (a collection of perl
> > scripts) to try to move the users from a
> > > >machine into the directory, the userPassword entries get stuck
> > in as {crypt}, but somehow that isn't
> > > >usable (i can't successfully bind to the server using the
> > password that was set).  Does anyone know
> > > >what i might be doing wrong?  Any pointers to documentation on
> > these issues would be appreciated.
> > > >For instance, i'm unsure as to how to determine what
> > encryption method is used on a particular
> > > >machine (to create the encrypted hashes in /etc/shadow).  I do
> > know md5 is used because of the $1$
> > >
> > > If you have md5 hashes, you need to store them as {md5}blahblahblah
> > >
> > > You should edit the Migration script for passwd as I think it simply
> > > assumes {crypt}
> >

Prev by Date: Re: MigrationTools-40 and encrypted passwords
Next by Date: Re: MigrationTools-40 and encrypted passwords
Index(es):
- Chronological
- Thread