[Date Prev][Date Next]
Re: SSHA encryption and migration from 2.0 to 2.2
Though I find it odd you choose to upgrade from one historic
version to another historic version... the following issue
applies even if you were moving to a modern version...
Modern versions of slapd(8) (unlike some very old versions)
require anonymous to have "auth" access to userPassword for
its values to be used in authentication.
At 11:24 AM 3/2/2006, Darrell Swoap wrote:
>My organization currently uses several OpenLDAP 2.0 server for
>purposes of authenticating users against a centralized database.
>Users in the directory currently have a mix of encryption schemes for
>their userPassword attributes (MD5 and SSHA) which works fine at the
>moment. When using slapcat and slapadd to populate a new OpenLDAP
>2.2 server, binds for users with an MD5 encrypted password continue
>to work, but users with an SSHA encrypted password fail to bind and
>receive the "invalid credentials" error.
>These symptoms occur when doing a bind in association with an
>ldapsearch. That is, binding with a dn whose entry contains an MD5- encrypted userPassword attribute works, but the bind fails when the
>entry contains an SSHA-encrypted userPassword attribute. Also, this
>affects OpenLDAP 2.2 server packages for both RedHat EL3/4 and Debian
>Sarge. (Note that I'm using pre-packaged software rather than
>software from source.)
>Interestingly, the "rootpw" in slapd.conf is encrypted SSHA, and I
>can bind as the rootdn user just fine.
>Thanks in advance for any suggestions or information,