Kurt,

Zimbra has run into this issue in helping a customer who was running SunDS migrate to OpenLDAP. It does not work at all, unfortunately. Changing code to use an 8-bit salt does work.

So, I'd be happy to fix this, but a general design question --

(a) Should this be implemented as a "ssha-salt" option in slapd.conf

or

(b) Should OpenLDAP try decrypting the password first as a 4-bit salt, and then try an 8-bit salt, then fail?

(a) would be fairly portable across many salt settings, but AFAIK we've only hit 4 & 8

(b) would allow mixed salt values to be in userPassword, and I'd think that over time as people changed their passwords, it would allow the 8-bit salts to go away.

Thoughts welcome. :)

--Quanah

-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration