[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools

I'm relatively sure that this is part of the same issue I struggled with a while back. Someone pointed me at an old post (from 1999) which contained the fix. http://www.openldap.org/lists/openldap-software/200103/msg00125.html It involves changing the order of the included libs when you compile openldap.

Here's a paste of the content of that post:

Thus spake Kurt D. Zeilenga:

> I believe there was an OpenLDAP ITS filed and closed.  It's not really
> an OpenLDAP issue.  We just use the crypt(3) the linker provides (based
> upon user provided configuration information).  Other than avoiding
> {crypt} passwords (which are not portable) as crypt(3) differs widely
> from system to system, I suggest modifying OpenSSL not to provide
> crypt(3) on systems which provide one themselves.

I can see why you'd think that.  It looks like OpenSSL 0.9.6 supports MD5
passwords now to; I see in the change log:

 *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
     [Bodo Moeller]

Anyhow, I made this simple patch that moves $(LUTIL_LIBS) ahead of
$(SECURITY_LIBS), in case anyone else is searching the archives for a
solution to the same problem.

W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
                -- H.L. Mencken

--- ./servers/slapd/Makefile.in.orig    Thu Mar  8 15:57:24 2001
+++ ./servers/slapd/Makefile.in Thu Mar  8 16:02:35 2001
@@ -43,8 +43,9 @@
 # $(LTHREAD_LIBS) must be last
 XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber
+        $(LUTIL_LIBS) \
         $(SECURITY_LIBS) \
-        $(LDIF_LIBS) $(LUTIL_LIBS)
+        $(LDIF_LIBS)

 BUILD_OPT = "--enable-slapd"

Harry Rüter wrote:


I've got a big problem to migrate md5 passwords from shadow file to OpenLdap.

I run OpenLdap 2.0.25 on a gentoo 1.2 distribution and use
MigrationsTools-44 .

My password into shadow file is : $1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1

Is it really the entry from /etc/shadow or is it what
the Migrationtools "generates" ?

When migrating it into ldap, userPassword is :

Seems you have (i think) DefaultHASH {crypt},
or the Migrationtools do have ...

And Binding doesn't work.


I tryed to change this by {MD5}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1, but
it doesn't work too.
So I used GQ (gtk front end to ldap) and and generate the same password
into md5. It given : {MD5}CY9rzUYh03PK3k6DJie09g==
And it works!!!

Try to look, how the entry now looks like (with ldapsearch). It will be base64-encoded and maybe looks like "$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1".

Seems to be a problem of the Migrationtools i'd say ...

But what happened? The two md5 passwords seem to doesn't have the same
form composition.

Yes, because obviously the first one isn't really the MD5-hash
of your password , as the algorithm guarantees that
the same input generates the same md5hashed output  !!!

-- Frédéric Gaudy - Gestionnaire NTIC

Greets Harry