[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Export from LDAP to /etc/passwd?



Quoting craigl <pavesi@integrity.com>:

> The accounts with the plain text passwords will be easy since you know
> the password.  They will go over just fine with using 'passwd'.  You can
> write a simple script with expect to do that for you.
> The hard part is going to be the {crypt} passwords.  Those usually are a
> one way crypt, so you will not be able to decrypt them.  Depending on the
> number of users you are looking at trying to convert crypted passwords,
> the easier solution is to generate them a new (random is perfered)
> password, email them telling them their password was changed to "this",
> and offer to change it to something they would like.

*giggle*

If you change there password, then mail them what there new password is..

How are supposed to find out what there new password is, since there old
password won't let them in to the system (or there imap/pop account)?

That will naturaly only work if they have there mail on a totaly separate
system :)



If all the password is {crypt}, then just add that password (without the {crypt}
part) into the password field in /etc/passwd. Only works if both system are
using the same type of crypt() function. And by reading you password again
(since you mentioned it), I assume that the RH6.1 system is NOT using MD5?

In that case, is it possible to NOT use MD5 on the RH6.2 system? If not, then
I recomend that you somehow mail them (with a couple days notice) that you
are about to upgrade, and that all the passwords will have to be changed.


Another way to do this, is by hacking pam_ldap (if you are indeed using that)
so that it will create a 'clearTextPassword' attribute with the users password
in clear text and let the existing system run for a while, until you feel 
confident that you have all the users passwords.

This is the way I did it when I started to migrate to use Kerberos instead
of LDAP for the password database. I've been running this setup for about
two weeks now, and all users where I haven't the password for, have to mail/phone
me in person to get the password...

If you do it this way BE SURE TO HIDE THE clearTextPassword ATTRIBUTE FROM
READING by anyone else than 'self' and the directory admin!!! :)

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden