[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Converting userPassword Types?

To: openldap-software@OpenLDAP.org
Subject: Re: Converting userPassword Types?
From: Hugh MacMullan <hugh@macmullan.org>
Date: Fri, 05 Jan 2001 17:02:33 -0500
References: <104880000.978728311@cheshire.onlinemac.com>

Doh!  Of course.  Sigh.  I like the "gentle persuasion" idea though ... mwa-ha-ha!

Thanks alot, those who replied.

Next comes replication issues, but I'll wait until Monday, so I have my questions in order.

--Hugh

Rob Tanner wrote:

> Nope, thank heavens.  Those are all one-way encryption algorythms.  Otherwsie, if you could from one encryption mechanism directly into another, you could just as easily convert from any one of them into plain text (woops!!).
>
> The easiest solution is to encourage users to change their passwords.  That way you
> can grab a plaintext version and encrypt it however you like.
>
> One trick you might try is to keep the crypt password and make provision for an MD5
> or SHA mechanism.  Then, depending on what services you have control over, add an arbitray delay for those who have not changed their password.  That's the same type
> of mechanism as is built into the CMU IMAP server (and commercial derivatives) to encourage end-users to switch to mail clients that support mechanisms such as digest-md5 authentication.  The reason behind the delay is slightly different, but the purpose of the delay itself is to provide a sort of gentle encouragement.
>
> -- Rob
>
> --On Friday, January 05, 2001 03:19:24 PM -0500 Hugh MacMullan <hugh@macmullan.org>
> wrote:
>
> > Folks:
> >
> > I'm VERY new to ldap ... I've managed to get my Apache 1.3.12 (RH 6.2)
> > webservers authenticating with multiple ldap servers (auth_ldap-1.4.0-2 &
> > openldap-1.2.9-5, both of which came with RH 6.2).
> >
> > Here's the question:
> >
> > Okay, I used an old password file from a Netscape server, that had CRYPT
> > encryption on the passwords, and munged them into a .ldif file like so:
> >
> > joe:asdkdSDLKFHdkd
> > becomes:
> >
> > dn: cn=joe, dc=macmullan, dc=org
> > objectclass: person
> > uid: joe
> > userPassword: {crypt}asdkdSDLKFHdkd
> >
> > This works just fine (even on a remote system!  Woohoo!) ... but I'd like
> > to know if there's a way to convert these crypt passwords to SHA or MD5
> > for better transportability.
> >
> > Any ideas?
> >
> > --Hugh
> >
>
>        _ _ _ _           _    _ _ _ _ _
>       /\_\_\_\_\        /\_\ /\_\_\_\_\_\
>      /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
>     /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
>    /\/_/_/_/_/ /\_\  /\/_/    /\/_/
>   /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
>   \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)
>
>   Rob Tanner
>   McMinnville, Oregon
>   rtanner@cheshire.onlinemac.com
>
>   ------------------------------------------------------------------------
>
>    Part 1.2    Type: application/pgp-signature
>            Encoding: 7bit

References:
- Re: Converting userPassword Types?
  - From: Rob Tanner <rtanner@cheshire.onlinemac.com>

Prev by Date: Re: Converting userPassword Types?
Next by Date: apache httpd conf file
Index(es):
- Chronological
- Thread