[Date Prev][Date Next]
Re: SSHA encryption and migration from 2.0 to 2.2
--On Thursday, March 02, 2006 1:24 PM -0600 Darrell Swoap
My organization currently uses several OpenLDAP 2.0 server for purposes
of authenticating users against a centralized database. Users in the
directory currently have a mix of encryption schemes for their
userPassword attributes (MD5 and SSHA) which works fine at the moment.
When using slapcat and slapadd to populate a new OpenLDAP 2.2 server,
binds for users with an MD5 encrypted password continue to work, but
users with an SSHA encrypted password fail to bind and receive the
"invalid credentials" error.
These symptoms occur when doing a bind in association with an
ldapsearch. That is, binding with a dn whose entry contains an MD5-
encrypted userPassword attribute works, but the bind fails when the
entry contains an SSHA-encrypted userPassword attribute. Also, this
affects OpenLDAP 2.2 server packages for both RedHat EL3/4 and Debian
Sarge. (Note that I'm using pre-packaged software rather than software
Interestingly, the "rootpw" in slapd.conf is encrypted SSHA, and I can
bind as the rootdn user just fine.
Thanks in advance for any suggestions or information,
I suggest that you don't use vendor packages from these vendors. I believe
the SSHA issues is a known problem with the debian packages and their crypt
linking. Not sure about redhat.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html