Re: account migration and not force to change password

[Timo Felbinger <timo.felbinger@physik.uni-potsdam.de>]

On Wed, Feb 02, 2005 at 09:41:46AM +0800, qwerty wrote:
> 
> Hi,
> 
> I'm going to migrate system accounts from flat file(passwd/shadow) to
> LDAP.It would be best if not force everyone to change his password
> after migration.
> 
> Yes, I can run some scripts to do the job.But as far as i know,if I'd
> like to use different password hash(say SSHA,MD5....) rather than
> {CRYPT} on LDAP,I must know the actual password for each account and
> then generate new password into LDAP.

No, it's much easier:

OpenLDAP has no problems supporting many different password formats in
parallel in the same directory: remember that in LDAP, the password hash
is usually computed on the _server_, the client does not even need to
know which function is used.  When a password is checked, the server
will use whatever hash function is stored in the userpassword attribute.
The password-hash which you configure in slapd.conf is just the hash
function to be used when users change their passwords.

So you can load the old crypt passwords into the directory and still
configure a modern hash function to be used for new or changed
passwords. Works for me, at least :-)

Regards,

Timo Felbinger


-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany