Dear everyone
I am planing to migrate an Intranet info system to authenticate with OpenLDAP, so more of our business can be done with the same login. The old system uses their own SQL table to store user information, no problem, I can write a script to convert to LDIF format. But md5 was used to encrypt user password, and the developer of that system knows md5 is cracked, so he encrypted the md5 hash with md5 method again.
clear text password --> md5 hash --> md5 hash of the md5 hash
My question:
1. Have you ever heard this solution to avoid md5 crack? Now as I cannot reach the original system author, I wonder how this idea come to be (e.g. why not using SHA). 2. Does it work? (is md5 hashed md5 hash much safer with no side-effect?) 3. Now, how we can migrate this system to use openldap. AFAIK openldap have no direct support for such hash. There are a lot of users of the system and there will be problems if migration is done and everyone's password is reset..
Thanks in advance!