On Wed, Nov 04, 2015 at 04:45:28PM +0000, Chuck Peters wrote:
Can I convert the ldif's userPassword:: "salted hash, aka SSHA" to "hash type$salt$hash" format of shadow passwords?
Not usefully: there is no support for single-round SSHA1 in most Unix-like crypt(3) libraries.
Or do I need to force those users with SSHA hashed passwords to change their password?
Yes
Most of the users passwords are in crypt format. I found a perl one liner to base64 decode those passwords hashes. (1)
By 'crypt format' do you mean the old Unix 13-char DES-based hash, or one of the newer ones? At present you should really only be using the newer multi-round hashes, with this order of preference:
$2y$ or $2a$ Bcrypt $6$ Multi-round SHA512 $5$ Multi-round SHA256 $1$ Multi-round MD5
I'm attempting to create shadow passwd files with an old Debian 6.0.10 (squeeze) LDAP installation and Debian's slapd package (2.4.23-7.3+deb6u2 squeeze-lts patched oldoldstable) includes a perl script ldiftopasswd, which I thought came from upstream, but it's not included in the most recent source of openldap. If my reading of the perl is correct, it was meant for earlier iterations of shadow passwords that did not include hash format or salt. I'm not having any success using the script this far.
alias ldapdecode="perl -MMIME::Base64 -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode_base64($1)/eg;print'" and just do ldapsearch | ldapdecode
That script simply converts the Base64 encoded fields of an LDIF file into their native (binary) format.
Beware of old distros as they may not support all of the hash formats.
Why do you need a passwd/shadow file in the first place? Surely it is much better to set your systems up to validate logins against LDAP directly. That way the only thing that needs to care about hash formats is the LDAP server process.
Andrew