RE: migrating already crypted passwords to ldif

["Brian K. Jones" <jonesy@CS.Princeton.EDU>]

Hi - thanks for the reply

On Mon, 2003-01-27 at 16:00, Jeff Costlow wrote:
> The double colons '::' means the client is base64 encoding the output.  If you use perl or python to base64 decode you'll see.
> 
Thanks for that!

> And you are correct to just place the {CRYPT} in front of the already crypted password before placing it into the directory.  I have heard rumours that 2.1.x series has by default disabled crypt support, you may have to configure --enable-crypt.
> 
Ok, then I'm expecting that as long as I configure everything else
right, users won't have to change their passwords from what they used
under NIS? I'll proceed and see how it goes I guess :-/

> Also check out:
> http://www.openldap.org/faq/data/cache/419.html
> http://www.openldap.org/software/man.cgi?query=slapd.conf   search for the section of password-hash and password-crypt-salt-format.  These will be useful when you want users to be able to use ldappasswd to modify their own password.
> 

These aren't useful to me, because I'm not concerned here with
*generating* passwords, which is what these cover.  What I'm concerned
with is how OpenLDAP performs the actual comparison!  In other words, if
my NIS password is 'orange', then when I do 'ypmatch jonesy passwd'
it'll come back with a crypted string - which is what gets put into the
ldif file and subsequently imported into my directory.  

Now, when I ssh to the LDAP server (a test box, mind you), I've told ssh
to use ldap for authentication.  When I type my ssh password 'orange' at
the login prompt, I need to insure that this password is crypted
properly so that it matches LDAPs crypted version of the password -
otherwise I go nowhere. :)

Hope I'm being clear here. There seems to be an overabundance of
information on how to *generate* passwords.  Docs on migrating them,
aside from 'execute 'migrate-all'...' appears to be somewhat lacking so
far as I can tell.  Guess I'll write some myself when I get it all
straight.

Thanks a million for the help.
brian.


> -----Original Message-----
> From: Brian K. Jones [mailto:jonesy@CS.Princeton.EDU]
> Sent: Monday, January 27, 2003 12:43 PM
> To: ldap list
> Subject: migrating already crypted passwords to ldif
> 
> 
> Hi,
> 
> I'm unclear on how to handle this.  I have OpenLDAP 2.1.18 (built from
> source) running on Redhat 7.3.  I also have the latest nss_ldap,
> pam_ldap and padl migration tools.
> 
> I'm trying to migrate users from using NIS to using LDAP without forcing
> them to change their passwords.  However, I haven't seen any clear
> documentation discussing how to enter passwords that are *already*
> crypted into my directory.  If I put something like
> 
> userPassword: {crypt}mYh45h3dPa55w0rD
> 
> Then the result is, of course, a crypted version of the above.  One
> additional note is that the above ldif entry, when viewed via
> ldapsearch, puts *two* colons after 'userPassword'. The end result looks
> something like this:
> 
> userPassword:: e2Nye9Bf0RW1mN6sks03Sk
> 
> Notice that {crypt} is now gone, there are two colons, and this is a
> crypted version of the already crypted string above.  
> 
> Eventually, this directory *will* be used for authentication, so if
> anyone can tell me how to get LDAP to read the incoming NIS passwords
> the same way that NIS did, I would be incredibly grateful.  
> 
> Pointers for RTFM welcome.  However, I think I've already read them
> all.  
> :-(
> 
> brian