[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools



Super, it's work.

But, why this problem stay since 1999? Why isn't include in the officials releases?


Le ven 20/09/2002 à 12:40, charlie derr a écrit :
I'm relatively sure that this is part of the same issue I struggled with a while back.  Someone pointed me at an old post (from 1999) which contained the fix. 
http://www.openldap.org/lists/openldap-software/200103/msg00125.html   It involves changing the order of the included libs when you compile openldap.

Here's a paste of the content of that post:


Thus spake Kurt D. Zeilenga:

 > I believe there was an OpenLDAP ITS filed and closed.  It's not really
 > an OpenLDAP issue.  We just use the crypt(3) the linker provides (based
 > upon user provided configuration information).  Other than avoiding
 > {crypt} passwords (which are not portable) as crypt(3) differs widely
 > from system to system, I suggest modifying OpenSSL not to provide
 > crypt(3) on systems which provide one themselves.

I can see why you'd think that.  It looks like OpenSSL 0.9.6 supports MD5
passwords now to; I see in the change log:

  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
      [Bodo Moeller]

Anyhow, I made this simple patch that moves $(LUTIL_LIBS) ahead of
$(SECURITY_LIBS), in case anyone else is searching the archives for a
solution to the same problem.

Wil
-- 
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
                 -- H.L. Mencken

--- ./servers/slapd/Makefile.in.orig    Thu Mar  8 15:57:24 2001
+++ ./servers/slapd/Makefile.in Thu Mar  8 16:02:35 2001
@@ -43,8 +43,9 @@
  # $(LTHREAD_LIBS) must be last
  XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber
  XXLIBS = $(LDBM_LIBS) $(SLAPD_LIBS) \
+        $(LUTIL_LIBS) \
          $(SECURITY_LIBS) \
-        $(LDIF_LIBS) $(LUTIL_LIBS)
+        $(LDIF_LIBS)
  XXXLIBS = $(LTHREAD_LIBS) $(MODULES_LIBS)

  BUILD_OPT = "--enable-slapd"


Harry Rüter wrote:
> Hi,
> 
> 
>>Hi,
>>
>>
>>I've got a big problem to migrate md5 passwords from shadow file to
>>OpenLdap.
>>
>>I run OpenLdap 2.0.25 on a gentoo 1.2 distribution and use
>>MigrationsTools-44 .
>>
>>My password into shadow file is : $1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
> 
> 
> Is it really the entry from /etc/shadow or is it what
> the Migrationtools "generates" ?
> 
> 
>>When migrating it into ldap, userPassword is :
>>{crypt}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
> 
> 
> Seems you have (i think) DefaultHASH {crypt},
> or the Migrationtools do have ...
> 
> 
>>And Binding doesn't work.
> 
> 
> Sure.
> 
> 
>>I tryed to change this by {MD5}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1, but
>>it doesn't work too.
>>So I used GQ (gtk front end to ldap) and and generate the same password
>>into md5. It given : {MD5}CY9rzUYh03PK3k6DJie09g==
>>And it works!!!
> 
> 
> Try to look, how the entry now looks like (with ldapsearch). 
> It will be base64-encoded and maybe looks like 
> "$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1".
> 
> Seems to be a problem of the Migrationtools i'd say ...
> 
> 
>>But what happened? The two md5 passwords seem to doesn't have the same
>>form composition.
> 
> 
> Yes, because obviously the first one isn't really the MD5-hash
> of your password , as the algorithm guarantees that
> the same input generates the same md5hashed output  !!!
> 
> 
>>
>>-- 
>>Frédéric Gaudy - Gestionnaire NTIC
> 
> 
> Greets Harry
> 


-- 
Frédéric Gaudy	- Gestionnaire NTIC
Communauté de Communes du Thouarsais
4, rue de la trémoille - 79104 THOUARS
TEL : 0549667700
FAX : 0549667701