[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unixUserPassword and userPassword

To: Chad Scott <cscott@appdynamics.com>
Subject: Re: unixUserPassword and userPassword
From: jupiter <jupiter.hce@gmail.com>
Date: Sat, 12 Oct 2013 10:19:37 +1100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XYtP6R++9O2abpVGhrKTl2/cwtsro/smDuWOlRBIvPA=; b=aEl+eLBsjyz08wYUgKiV23ZpUKLhfXa+Hg3cSYja/lnGlRHRYopmY+VynyLJDT7ijq dTm+ieBkCRbExsGqVia4iBjx7kT3EsvACafKRhdRCbSppW5qGD9z4Xinmaw/yqO/LpgU Kveiq0cUUnAfvjqsvJ0s90pQTCgjByY7DF7Yq39ii1PYIvxSnp/7HY9/tfveC9IxlYbK 5+fKDWzNBm/N2RyaKvy+bmbMnOrhAla5c2YHFmojv3N4Xnvg91unEtVzXy2nl5InL+IE g6SaqjZLB2MNdWXS9UgOiOTme9VbmjSQgSLAzWULeKkG3v6IRZHmM0pYYKufaePz+/p0 KaQQ==
In-reply-to: <2685585E-1086-401B-BFD9-DB85BA7D5325@appdynamics.com>
References: <CAA=hcWQLZsnEwTSfgTaSURrXGizqVbvE=56M_WYWNGABakv46Q@mail.gmail.com> <2685585E-1086-401B-BFD9-DB85BA7D5325@appdynamics.com>

Thanks Chad for your response. Let me clarify the question:

I have old LDAP AD password encryted in unixUserPassword:

unixUserPassword: CNRP!efgh12345$67899

How can I use the encrypted password in unixUserPassword format to userPassword?

If I tried to add the unixUserPassword to an ldif file:

dn: xxxxxxxxx
changetype: modify
replace: userPassword
userPassword: {crypt}CNRP!efgh12345$67899

Then run the command ldapmodify, it did not work, because it is simply
that the encrypted password "CNRP!efgh12345$67899" from
unixUserPassword is not the {crypt} format (I have no idea what the
format for the unixUserPassword is)

I have searched openldap document and Internet, could not find anwser
for what type of the encryption used in unixUserPassword and how could
I convert the password in unixUserPassword to userPassword in an idif
file. Appreciate any advice and helps.

Thank you.

Kind regards,

jupiter


On 10/12/13, Chad Scott <cscott@appdynamics.com> wrote:
> If I'm understanding your question, you need to base64 encode "{crypt}"
> followed by the old, encrypted value.
>
> You can avoid the base64 by using just one colon in your LDIF add.
>
>> On Oct 11, 2013, at 3:51, jupiter <jupiter.hce@gmail.com> wrote:
>>
>> Hi,
>>
>> I am migrating user account entries from an old openldap AD to
>> openldap BDB. Both LDAP client authentications are implemented in
>> Linux, the former in CentOS 5, and the latter in CentOS 6.
>>
>> But the major problem is that the old openldap AD uses encrypted
>> password in "unixUserPassword:" while the openldap BDB uses base64
>> "userPassword::".
>>
>> The option for solution I could think of are:
>>
>> (a) Convert the encrypted password from unixUserPassword format to
>> userPasswor, then I can use ldapmodify to change userPassword. Is it
>> possible? If it is, appreciate more details.
>>
>> (b) Change LDAP client authentication to use unixUserPassword. I
>> haven't found any document to configure Linux client authentication to
>> use unixUserPassword.
>>
>> In fact, I could not find any document regarding details of uing
>> unixUserPassword. Any suggestions, tips and advice are very much
>> appreciated.
>>
>> Thank you.
>>
>> Kind regards,
>>
>> jupiter
>>
>> Sorry for asking a non-dev question, but I could not find any solution
>> from openldap document, nor from Internet searching.
>>
>> Thank you and appreciate any advice.
>>
>> Kind regards,
>>
>> jupiter
>>
>

Follow-Ups:
- Re: unixUserPassword and userPassword
  - From: Chad Scott <cscott@appdynamics.com>

References:
- unixUserPassword and userPassword
  - From: jupiter <jupiter.hce@gmail.com>
- Re: unixUserPassword and userPassword
  - From: Chad Scott <cscott@appdynamics.com>

Prev by Date: Re: "LDAP Injection" attacks
Next by Date: Re: unixUserPassword and userPassword
Index(es):
- Chronological
- Thread