Re: Migrating user database between OpenLDAP instances

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:27 AM 2/3/2005, Oyvind Gronnesby wrote:

>We recently migrated our user database from an old RedHat 7.3 machine
>that ran with a locally compiled OpenLDAP 2.1.22 to a Debian/testing
>machine with the slapd 2.1.30-3 package installed.  The migration of
>the tree was done with slapcat and slapadd.
>
>After migration we found that a lot of the password hashes would no
>longer work for our users.  Resetting the password and thus generating
>a new hash (which was different from the old, even though the password
>was the same) would make it work.
>
>The friendly people on #ldap@freenode suggested that it might be
>because the two different slapd were linked with libraries with
>different and conflicting crypt() functions.

As noted in the FAQ, crypt(3) is not portable.  slapd(8) will
use whatever version the linker provides.  


>Is there a way to fix this so that the old hashes will work on the new
>OpenLDAP?  Preferably without having to recompile a local version of
>the Debian slapd package.

If you don't like the version the linker provides, adjust your
build environment appropriately.


>I should perhaps add that the hashes are all SMD5.

As you meantioned crypt above, I assumed you were using {CRYPT}
(which is tied with cyrpt(3)).

With {SMD5}, any slapd(8) built with {SMD5} should have
no problems understing {SMD5} hashes generated by any other
slapd(8) server... or any other LDAP server for that matter.
{SMD5} does not use crypt(3), it directly uses MD5.  Note that
{SMD5} is a seeded mechanism, hence it is natural for that
different values be generated for the same password.

Now, if by SMD5 you are referring to some (seeded) MD5 flavor
of crypt(3), then my above comments regarding crypt(3) apply.

Kurt