[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools

To: Frédéric GAUDY <frederic.gaudy@cc-thouarsais.fr>, openldap-software <openldap-software@OpenLDAP.org>
Subject: Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools
From: charlie derr <cderr@simons-rock.edu>
Date: Mon, 23 Sep 2002 10:13:06 -0400
References: <28348.1032523051@www45.gmx.net> <3D8B1724.20802@simons-rock.edu> <1032793642.6134.1.camel@FredericGaudy>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020722

Frédéric GAUDY wrote:

Super, it's work.

But, why this problem stay since 1999?

I think i didn't remember correctly. The date on the post is Mar 2001 (not 1999). It's still a long time though.

Why isn't include in the officials releases?

I don't know. When I figured out the solution, I asked the same question. I'm looking through archives now and I see a discussion in November of 2001 on the list. I'm pretty sure that I made some attempt to alert the developers to the same issue at the time that I figured it out (though I can't seem to find any email evidence of it, so maybe i just *meant* to, and didn't actually get around to doing it). In any case, I certainly didn't follow through enough (and ended up just making notes in my own personal openldap documentation so that I wouldn't get bit by this again).

~c

Le ven 20/09/2002 à 12:40, charlie derr a écrit :
I'm relatively sure that this is part of the same issue I struggled with a while back. Someone pointed me at an old post (from 1999) which contained the fix. http://www.openldap.org/lists/openldap-software/200103/msg00125.html It involves changing the order of the included libs when you compile openldap. Here's a paste of the content of that post: Thus spake Kurt D. Zeilenga: > I believe there was an OpenLDAP ITS filed and closed. It's not really > an OpenLDAP issue. We just use the crypt(3) the linker provides (based > upon user provided configuration information). Other than avoiding > {crypt} passwords (which are not portable) as crypt(3) differs widely > from system to system, I suggest modifying OpenSSL not to provide > crypt(3) on systems which provide one themselves. I can see why you'd think that. It looks like OpenSSL 0.9.6 supports MD5 passwords now to; I see in the change log: *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). [Bodo Moeller] Anyhow, I made this simple patch that moves $(LUTIL_LIBS) ahead of $(SECURITY_LIBS), in case anyone else is searching the archives for a solution to the same problem. Wil -- W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc LNXS: Linux/GNU for servers, networks, and http://lnxs.org people who take care of them. *Now with integrated crypto!* irc.openprojects.net #lnxs Men have a much better time of it than women; for one thing they marry later; for another thing they die earlier. -- H.L. Mencken --- ./servers/slapd/Makefile.in.orig Thu Mar 8 15:57:24 2001 +++ ./servers/slapd/Makefile.in Thu Mar 8 16:02:35 2001 @@ -43,8 +43,9 @@ # $(LTHREAD_LIBS) must be last XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber XXLIBS = $(LDBM_LIBS) $(SLAPD_LIBS) \ + $(LUTIL_LIBS) \ $(SECURITY_LIBS) \ - $(LDIF_LIBS) $(LUTIL_LIBS) + $(LDIF_LIBS) XXXLIBS = $(LTHREAD_LIBS) $(MODULES_LIBS) BUILD_OPT = "--enable-slapd" Harry Rüter wrote: > Hi, > > >>Hi, >> >> >>I've got a big problem to migrate md5 passwords from shadow file to >>OpenLdap. >> >>I run OpenLdap 2.0.25 on a gentoo 1.2 distribution and use >>MigrationsTools-44 . >> >>My password into shadow file is : $1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1 > > > Is it really the entry from /etc/shadow or is it what > the Migrationtools "generates" ? > > >>When migrating it into ldap, userPassword is : >>{crypt}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1 > > > Seems you have (i think) DefaultHASH {crypt}, > or the Migrationtools do have ... > > >>And Binding doesn't work. > > > Sure. > > >>I tryed to change this by {MD5}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1, but >>it doesn't work too. >>So I used GQ (gtk front end to ldap) and and generate the same password >>into md5. It given : {MD5}CY9rzUYh03PK3k6DJie09g== >>And it works!!! > > > Try to look, how the entry now looks like (with ldapsearch). > It will be base64-encoded and maybe looks like > "$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1". > > Seems to be a problem of the Migrationtools i'd say ... > > >>But what happened? The two md5 passwords seem to doesn't have the same >>form composition. > > > Yes, because obviously the first one isn't really the MD5-hash > of your password , as the algorithm guarantees that > the same input generates the same md5hashed output !!! > > >> >>-- >>Frédéric Gaudy - Gestionnaire NTIC > > > Greets Harry >

References:
- Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools
  - From: Harry Rüter <harry_rueter@gmx.de>
- Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools
  - From: charlie derr <cderr@simons-rock.edu>
- Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools
  - From: Frédéric GAUDY <frederic.gaudy@cc-thouarsais.fr>

Prev by Date: ACL and ACI
Next by Date: Re: ACL and ACI
Index(es):
- Chronological
- Thread