[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Directory migration



Ian wrote:
> On Tue, 21 Apr 2009 23:07:11 Michael Ströder wrote:
>> Hmm, which password scheme is used? Are the userPassword values prefixed
>> with {MD5} or with {CRYPT}? In the latter case libcrypt on both systems
>> could be incompatible. So this could be another issue. The general
>> advice is not to use {CRYPT}. Recommended is to use salted SHA-1
>> (password scheme {SSHA}).
> 
> Well FreeBSD is using MD5 for it's encryption and so is the linux workstation. 

This does not say much since there are also MD5-based password hashes in
Unix crypt.

> Is the LDAP server encrypting the hashes as well?

No, the clear-text password is hashed depending on the password scheme
together with a random salt.

> They don't look like the 
> hashes in master.password

What is master.password?

> at all, so I guess it is? And that's one reason why 
> you need to use the PADL scripts when you import /etc/passwd into your LDAP 
> directory?

If you import /etc/shadow or whereever your salted Unix password hashes
are stored you would use the platform-specific password scheme {CRYPT}.

> The password entry looks like this:
> userPassword:: e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0=
              ^^
The double-colon indicates that the value is base64-encoded in the LDIF
representation.

$ python -c "print
'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')"
{md5}547qEjL5yQnfIp7aDAXd8w==

So this is a plain MD5-hashed password. This password scheme is *not*
platform-specific. Is this from your original data? Do all entries have
password values like this? Check that. If yes, then you should not have
a problem to migrate this data.

> So I don't know what encoding it's using - is there a setting that controls 
> this? (nothing in slapd.conf that I can see).

There are various relevant settings. But I wonder which component is
used for setting the password and which mechanism it uses.

You should also consult the fine articles in the FAQ-O-MATIC:

http://www.openldap.org/faq/data/cache/419.html

Ciao, Michael.