[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Directory migration

On Wed, Apr 22, 2009 at 09:56:51AM +0930, Ian wrote:

> > You also need to make sure that the new server was built with support
> > for your chosen hash scheme. If using crypt passwords, this means
> > adding the --enable-crypt flag to the initial 'configure' command.
> Maybe that's where the problem lies. From what Michael said in his reply, the 
> passwords are plain MD5 hashes. Perhaps I've build the new one with crypt 
> support and it's trying to use that instead of straight MD5?

Unlikely. I don't think it is possible to disable the MD5 hash support.

> Yes, that was the first thing I checked when I couldn't login. The hashes are 
> exactly the same on both servers.
> > > > If I look at the encrypted password before and after resetting
> > > > it, the password hashes are different, even though they are supposedly
> > > > the same password.
> > >
> > > This could be because a salt is added before generating the hash.

But then On Tue, Apr 21, 2009 at 04:43:51PM +0200, Michael Ströder wrote:

> $ python -c "print
> 'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')"
> {md5}547qEjL5yQnfIp7aDAXd8w==
> So this is a plain MD5-hashed password. This password scheme is *not*

... and the interesting thing there is that you are using a *non-salted*
hash scheme. That means that a given password should always produce
the same hash, yet you have found that resetting the password produces
a different hash.

To diagnose this further I would use ldapsearch directly, rather than
involving the Linux or FreeBSD nss_ldap client. Something like this:

ldapsearch -x -H ldap://oldserver/ -D <user account DN> -w <password> \
	-b '' -s base '(objectclass=*)'

Try the same account on the old and the new server, having made sure that
the password hashes for that account are identical. Run both ldapsearch
commands from the same window on the same machine.  If one server accepts
the search and the other one does not then you have a good test case.

One area that might be worth checking is character sets. If your test
password has any non-ASCII characters then success may be dependent on
the default character set of the client machine (which is why I said to
use the same window for both tests above).

If you still get different results for your old and new servers then
I would start to suspect a bug in the MD5 implementation, though this
is very unlikely as OpenLDAP has its own copy of MD5 which has not
changed since July 2000:


|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |