[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Directory migration

To: Ian <no-spam@people.net.au>
Subject: Re: Directory migration
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 21 Apr 2009 16:43:51 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <200904220003.01977.no-spam@people.net.au>
References: <200904212137.50472.imoore@people.net.au> <49EDCC07.4010508@stroeder.com> <200904220003.01977.no-spam@people.net.au>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16

Ian wrote:
> On Tue, 21 Apr 2009 23:07:11 Michael Ströder wrote:
>> Hmm, which password scheme is used? Are the userPassword values prefixed
>> with {MD5} or with {CRYPT}? In the latter case libcrypt on both systems
>> could be incompatible. So this could be another issue. The general
>> advice is not to use {CRYPT}. Recommended is to use salted SHA-1
>> (password scheme {SSHA}).
> 
> Well FreeBSD is using MD5 for it's encryption and so is the linux workstation. 

This does not say much since there are also MD5-based password hashes in
Unix crypt.

> Is the LDAP server encrypting the hashes as well?

No, the clear-text password is hashed depending on the password scheme
together with a random salt.

> They don't look like the 
> hashes in master.password

What is master.password?

> at all, so I guess it is? And that's one reason why 
> you need to use the PADL scripts when you import /etc/passwd into your LDAP 
> directory?

If you import /etc/shadow or whereever your salted Unix password hashes
are stored you would use the platform-specific password scheme {CRYPT}.

> The password entry looks like this:
> userPassword:: e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0=
              ^^
The double-colon indicates that the value is base64-encoded in the LDIF
representation.

$ python -c "print
'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')"
{md5}547qEjL5yQnfIp7aDAXd8w==

So this is a plain MD5-hashed password. This password scheme is *not*
platform-specific. Is this from your original data? Do all entries have
password values like this? Check that. If yes, then you should not have
a problem to migrate this data.

> So I don't know what encoding it's using - is there a setting that controls 
> this? (nothing in slapd.conf that I can see).

There are various relevant settings. But I wonder which component is
used for setting the password and which mechanism it uses.

You should also consult the fine articles in the FAQ-O-MATIC:

http://www.openldap.org/faq/data/cache/419.html

Ciao, Michael.

References:
- Directory migration
  - From: Ian Moore <imoore@people.net.au>
- Re: Directory migration
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Directory migration
Next by Date: Re: Adding OU with PSQL backend
Index(es):
- Chronological
- Thread