Zimbra has run into this issue in helping a customer who was running SunDS
migrate to OpenLDAP. It does not work at all, unfortunately. Changing
code to use an 8-bit salt does work.
So, I'd be happy to fix this, but a general design question --
(a) Should this be implemented as a "ssha-salt" option in slapd.conf
(b) Should OpenLDAP try decrypting the password first as a 4-bit salt, and
then try an 8-bit salt, then fail?
(a) would be fairly portable across many salt settings, but AFAIK we've
only hit 4 & 8
(b) would allow mixed salt values to be in userPassword, and I'd think that
over time as people changed their passwords, it would allow the 8-bit salts
to go away.
Thoughts welcome. :)
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration
Show replies by date