[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools

Frédéric GAUDY wrote:

Super, it's work.

But, why this problem stay since 1999?

I think i didn't remember correctly. The date on the post is Mar 2001 (not 1999). It's still a long time though.

Why isn't include in the
officials releases?

I don't know. When I figured out the solution, I asked the same question. I'm looking through archives now and I see a discussion in November of 2001 on the list. I'm pretty sure that I made some attempt to alert the developers to the same issue at the time that I figured it out (though I can't seem to find any email evidence of it, so maybe i just *meant* to, and didn't actually get around to doing it). In any case, I certainly didn't follow through enough (and ended up just making notes in my own personal openldap documentation so that I wouldn't get bit by this again).


Le ven 20/09/2002 à 12:40, charlie derr a écrit :

I'm relatively sure that this is part of the same issue I struggled with a while back. Someone pointed me at an old post (from 1999) which contained the fix. http://www.openldap.org/lists/openldap-software/200103/msg00125.html It involves changing the order of the included libs when you compile openldap.
Here's a paste of the content of that post:
Thus spake Kurt D. Zeilenga:
> I believe there was an OpenLDAP ITS filed and closed. It's not really
> an OpenLDAP issue. We just use the crypt(3) the linker provides (based
> upon user provided configuration information). Other than avoiding
> {crypt} passwords (which are not portable) as crypt(3) differs widely
> from system to system, I suggest modifying OpenSSL not to provide
> crypt(3) on systems which provide one themselves.
I can see why you'd think that. It looks like OpenSSL 0.9.6 supports MD5
passwords now to; I see in the change log:
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
[Bodo Moeller]
Anyhow, I made this simple patch that moves $(LUTIL_LIBS) ahead of
$(SECURITY_LIBS), in case anyone else is searching the archives for a
solution to the same problem.
-- W. Reilly Cooley wcooley@nakedape.cc
Naked Ape Consulting http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and http://lnxs.org
people who take care of them. *Now with integrated crypto!*
irc.openprojects.net #lnxs
Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
-- H.L. Mencken
--- ./servers/slapd/Makefile.in.orig Thu Mar 8 15:57:24 2001
+++ ./servers/slapd/Makefile.in Thu Mar 8 16:02:35 2001
@@ -43,8 +43,9 @@
# $(LTHREAD_LIBS) must be last
XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber
BUILD_OPT = "--enable-slapd"
Harry Rüter wrote:
> Hi,
> > >>Hi,
>>I've got a big problem to migrate md5 passwords from shadow file to
>>I run OpenLdap 2.0.25 on a gentoo 1.2 distribution and use
>>MigrationsTools-44 .
>>My password into shadow file is : $1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
> > > Is it really the entry from /etc/shadow or is it what
> the Migrationtools "generates" ?
> > >>When migrating it into ldap, userPassword is :
> > > Seems you have (i think) DefaultHASH {crypt},
> or the Migrationtools do have ...
> > >>And Binding doesn't work.
> > > Sure.
> > >>I tryed to change this by {MD5}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1, but
>>it doesn't work too.
>>So I used GQ (gtk front end to ldap) and and generate the same password
>>into md5. It given : {MD5}CY9rzUYh03PK3k6DJie09g==
>>And it works!!!
> > > Try to look, how the entry now looks like (with ldapsearch). > It will be base64-encoded and maybe looks like > "$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1".
> > Seems to be a problem of the Migrationtools i'd say ...
> > >>But what happened? The two md5 passwords seem to doesn't have the same
>>form composition.
> > > Yes, because obviously the first one isn't really the MD5-hash
> of your password , as the algorithm guarantees that
> the same input generates the same md5hashed output !!!
> > >>
>>-- >>Frédéric Gaudy - Gestionnaire NTIC
> > > Greets Harry