Re: batch encrypting passwords

[charlie derr <cderr@simons-rock.edu>]

Fernando Medina, Jr. wrote:
> I have several users setup in a test environment...now they are about to
> go into production and I need to change their password from cleartext to
> crypt or something.  Cna someone tell me how to encrypt all of them at
> once?  Using GQ for linux I can easily change password encrytpion, but
> woudl like to do it all at once.  Thanks,

I think the easiest way is to use a scripting language to build an ldif file (and then apply it with ldapmodify).

Here's a snippet of python (won't work as is due to no parsing of input and no looping mechanism specified) that I use for constructing valid {crypt} entries.  The second block of code should go 
inside a loop (where you've already parsed the input and assigned the plaintext password to the variable "plaintxt" and assigned the username to the variable "username"):


import crypt
import random
import string
output = ''

  an = string.letters + string.digits
  salt = random.choice(an) + random.choice(an)
  pw = crypt.crypt(plaintxt, salt)
  output = output + "dn: uid=" + username + ",ou=People,dc=example,dc=com\n"
  output = output + "changetype: modify\n"
  output = output + "replace: userPassword\n"
  output = output + "userPassword: {crypt}" + pw + "\n\n"

outputfile = "cryptedpasses.ldif"
g = open(outputfile, "w")
g.write(output)
g.close()



Obviously perl (or any number of other languages) could be used instead.  Also, you can choose a different encryption mechanism ({md5}, {sha},...) if you wish.

	good luck,
		~c