Hi all,
we want to switch a server machine from Solaris (credentials stored in "traditional" passwd and shadow file) to Debian with OpenLDAP for authentication.
Creating LDIF files from /etc/passwd and /etc/shadow using PADL's migrationtools is working fine. The only problem is, that many user passwords on the Solaris machine have been encrypted using Sun's md5 scheme which results in hashes beginning with the characters "$md5$".
These hashes can be "imported" into our LDAP directory, but they cannot be used for authentication: Each attempt results in "access denied" on the client side and LDAP bind errors on the server side. Even when adding the user information to /etc/passwd and /etc/shadow on the Linux machine, there's no success.
With CRYPT password hashes, everything works fine.
Do you know any means to "convert" these Solaris-md5-hashed password strings into something we can use with OpenLDAP?
I appreciate your helpful answers. Thanks in advance!
Gruss/Regards, Christian Schmidt
Christian Schmidt wrote:
Hi all,
we want to switch a server machine from Solaris (credentials stored in "traditional" passwd and shadow file) to Debian with OpenLDAP for authentication.
Creating LDIF files from /etc/passwd and /etc/shadow using PADL's migrationtools is working fine. The only problem is, that many user passwords on the Solaris machine have been encrypted using Sun's md5 scheme which results in hashes beginning with the characters "$md5$".
These hashes can be "imported" into our LDAP directory, but they cannot be used for authentication: Each attempt results in "access denied" on the client side and LDAP bind errors on the server side. Even when adding the user information to /etc/passwd and /etc/shadow on the Linux machine, there's no success.
With CRYPT password hashes, everything works fine.
Do you know any means to "convert" these Solaris-md5-hashed password strings into something we can use with OpenLDAP?
I appreciate your helpful answers. Thanks in advance!
No conversion is necessary, as long as you built OpenLDAP with --enable-crypt and you're using the native C library's crypt() (and not e.g. OpenSSL's crypt()) and the password is stored with the {crypt} tag. (And the slapd is actually running on Solaris.)
Hello Howard,
thank you very much for your reply.
Howard Chu, 10.11.2010 (d.m.y):
No conversion is necessary, as long as you built OpenLDAP with --enable-crypt and you're using the native C library's crypt() (and not e.g. OpenSSL's crypt())
We didn't build OpenLDAP myself. We're using the slapd packaged by the Debian maintainers that has been linked in the following manner:
# ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fca53bd5000) libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007fca53772000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007fca53563000) libdb-4.2.so => /usr/lib/libdb-4.2.so (0x00007fca53275000) libodbc.so.1 => /usr/lib/libodbc.so.1 (0x00007fca53019000) libslp.so.1 => /usr/lib/libslp.so.1 (0x00007fca52e07000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007fca52bed000) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007fca5293b000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fca52703000) libresolv.so.2 => /lib/libresolv.so.2 (0x00007fca524ef000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0x00007fca522e8000) libwrap.so.0 => /lib/libwrap.so.0 (0x00007fca520df000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007fca51ec3000) libc.so.6 => /lib/libc.so.6 (0x00007fca51b70000) libnsl.so.1 => /lib/libnsl.so.1 (0x00007fca51958000) libdl.so.2 => /lib/libdl.so.2 (0x00007fca51754000) libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007fca51544000) libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x00007fca53ac2000) libz.so.1 => /usr/lib/libz.so.1 (0x00007fca5132d000) libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x00007fca510c6000) /lib64/ld-linux-x86-64.so.2 (0x00007fca539bb000)
and the password is stored with the {crypt} tag.
I just gave this a try and changed a user's password to "password" which resulted in the MD5 hash "$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0".
I created an LDIF file with the following line and imported it into the directory:
userPassword: {CRYPT}$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0
The phrase after {CRYPT}) is the hash Solaris put in its /etc/shadow.
After importing this line into the LDAP directory, I could *not* login as the corresponding user using the password "password". :-(
(And the slapd is actually running on Solaris.)
It is not: We're running OpenLDAP on Debian GNU/Linux...
Thanks a lot!
Gruss/Regards, Christian Schmidt
On 12/11/10 12:59 +0100, Christian Schmidt wrote:
I just gave this a try and changed a user's password to "password" which resulted in the MD5 hash "$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0".
I created an LDIF file with the following line and imported it into the directory:
userPassword: {CRYPT}$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0
The phrase after {CRYPT}) is the hash Solaris put in its /etc/shadow.
After importing this line into the LDAP directory, I could *not* login as the corresponding user using the password "password". :-(
It is not: We're running OpenLDAP on Debian GNU/Linux...
What is doing the authentication? Are you using pam_unix via an ldap nss module, or maybe pam_ldap?
If pam_unix, see pam_unix/passverify.c in the pam source, which expects an md5 hash to have the format of:
$1$SALT$HASH
like:
$1$6biGTEUt$FrTcXRocuExNsLZItn06l1
However, you have two dollar signs after your salt, and I don't know that indicates. I tried playing around with your hash but couldn't get it to match 'password' on my Debian system.
Hello Dan,
Dan White, 12.11.2010 (d.m.y):
What is doing the authentication? Are you using pam_unix via an ldap nss module, or maybe pam_ldap?
We're using pam_ldap.
If pam_unix, see pam_unix/passverify.c in the pam source, which expects an md5 hash to have the format of:
$1$SALT$HASH
like:
$1$6biGTEUt$FrTcXRocuExNsLZItn06l1
However, you have two dollar signs after your salt, and I don't know that indicates. I tried playing around with your hash but couldn't get it to match 'password' on my Debian system.
That's why I suppose that Solaris' MD5 has not that much in common with "GNU MD5". *All* MD5 hashes in Solaris' /etc/shadow start with "$md5$".
Gruss/Regards, Christian Schmidt
Christian Schmidt wrote:
Hello Howard,
thank you very much for your reply.
Howard Chu, 10.11.2010 (d.m.y):
No conversion is necessary, as long as you built OpenLDAP with --enable-crypt and you're using the native C library's crypt() (and not e.g. OpenSSL's crypt())
I just gave this a try and changed a user's password to "password" which resulted in the MD5 hash "$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0".
I created an LDIF file with the following line and imported it into the directory:
userPassword: {CRYPT}$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0
The phrase after {CRYPT}) is the hash Solaris put in its /etc/shadow.
After importing this line into the LDAP directory, I could *not* login as the corresponding user using the password "password". :-(
(And the slapd is actually running on Solaris.)
It is not: We're running OpenLDAP on Debian GNU/Linux...
Then you have no chance. Notice I said "and" in all of those conditions above. Since you have not met all of the conditions, this cannot work.
Hello Howard,
Howard Chu, 12.11.2010 (d.m.y):
Christian Schmidt wrote:
It is not: We're running OpenLDAP on Debian GNU/Linux...
Then you have no chance. Notice I said "and" in all of those conditions above.
Sorry.
Since you have not met all of the conditions, this cannot work.
Well - as I would like to understand it a little bit more, could you please drop some more words on why it cannot work? Seems I didn't get the message yet.
Do the Solaris (crypt?) librarys "automatically" enable slapd running on Solaris to handle Sun's MD5 hashed passwords? And is it exactly this what is "missing" on the linux side?
Thank you very much!
Gruss/Regards, Christian Schmidt
--On Friday, November 12, 2010 8:09 PM +0100 Christian Schmidt christian@siebenbergen.de wrote:
Do the Solaris (crypt?) librarys "automatically" enable slapd running on Solaris to handle Sun's MD5 hashed passwords? And is it exactly this what is "missing" on the linux side?
http://www.openldap.org/faq/index.cgi?_highlightWords=crypt&file=344
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Christian Schmidt -
Dan White -
Howard Chu -
Quanah Gibson-Mount