Ian wrote:
On Tue, 21 Apr 2009 23:07:11 Michael Ströder wrote:
Hmm, which password scheme is used? Are the userPassword values prefixed with {MD5} or with {CRYPT}? In the latter case libcrypt on both systems could be incompatible. So this could be another issue. The general advice is not to use {CRYPT}. Recommended is to use salted SHA-1 (password scheme {SSHA}).
Well FreeBSD is using MD5 for it's encryption and so is the linux workstation.
This does not say much since there are also MD5-based password hashes in Unix crypt.
Is the LDAP server encrypting the hashes as well?
No, the clear-text password is hashed depending on the password scheme together with a random salt.
They don't look like the hashes in master.password
What is master.password?
at all, so I guess it is? And that's one reason why you need to use the PADL scripts when you import /etc/passwd into your LDAP directory?
If you import /etc/shadow or whereever your salted Unix password hashes are stored you would use the platform-specific password scheme {CRYPT}.
The password entry looks like this: userPassword:: e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0=
^^ The double-colon indicates that the value is base64-encoded in the LDIF representation.
$ python -c "print 'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')" {md5}547qEjL5yQnfIp7aDAXd8w==
So this is a plain MD5-hashed password. This password scheme is *not* platform-specific. Is this from your original data? Do all entries have password values like this? Check that. If yes, then you should not have a problem to migrate this data.
So I don't know what encoding it's using - is there a setting that controls this? (nothing in slapd.conf that I can see).
There are various relevant settings. But I wonder which component is used for setting the password and which mechanism it uses.
You should also consult the fine articles in the FAQ-O-MATIC:
http://www.openldap.org/faq/data/cache/419.html
Ciao, Michael.