[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSHA encryption and migration from 2.0 to 2.2

Although 2.2 is also outdated, you may simply be lacking the {SHA} or
{MD5} prefix in userpassword:.

On 3/2/06, Darrell Swoap <dswoap@rackspace.com> wrote:
> My organization currently uses several OpenLDAP 2.0 server for
> purposes of authenticating users against a centralized database.
> Users in the directory currently have a mix of encryption schemes for
> their userPassword attributes (MD5 and SSHA) which works fine at the
> moment.  When  using slapcat and slapadd to populate a new OpenLDAP
> 2.2 server, binds for users with an MD5 encrypted password continue
> to work, but users with an SSHA encrypted password fail to bind and
> receive the "invalid credentials" error.
> These symptoms occur when doing a bind in association with an
> ldapsearch.  That is, binding with a dn whose entry contains an MD5-
> encrypted userPassword attribute works, but the bind fails when the
> entry contains an SSHA-encrypted userPassword attribute.  Also, this
> affects OpenLDAP 2.2 server packages for both RedHat EL3/4 and Debian
> Sarge.  (Note that I'm using pre-packaged software rather than
> software from source.)
> Interestingly, the "rootpw" in slapd.conf is encrypted SSHA, and I
> can bind as the rootdn user just fine.
> Thanks in advance for any suggestions or information,
> Darrell Swoap