Zhang Weiwu wrote:
Dear everyone
I am planing to migrate an Intranet info system to authenticate with OpenLDAP, so more of our business can be done with the same login. The old system uses their own SQL table to store user information, no problem, I can write a script to convert to LDIF format. But md5 was used to encrypt user password, and the developer of that system knows md5 is cracked, so he encrypted the md5 hash with md5 method again.
clear text password --> md5 hash --> md5 hash of the md5 hash
My question:
- Have you ever heard this solution to avoid md5 crack? Now as I cannot reach the original system author, I wonder how this idea come to be (e.g. why not using SHA).
not heard of it.
- Does it work? (is md5 hashed md5 hash much safer with no side-effect?)
Sounds like it would take twice as long.
- Now, how we can migrate this system to use openldap. AFAIK openldap have no direct support for such hash. There are a lot of users of the system and there will be problems if migration is done and everyone's password is reset..
You'd have to get everyone to type in their md5 hash ;-)
You've no choice but to reset all passwords. Seems like the best time to do it under the "migration" umbrella.
Gavin.