On Wed, 22 Apr 2009 00:13:51 Michael Ströder wrote:
Ian wrote:
On Tue, 21 Apr 2009 23:07:11 Michael Ströder wrote:
Hmm, which password scheme is used? Are the userPassword values prefixed with {MD5} or with {CRYPT}? In the latter case libcrypt on both systems could be incompatible. So this could be another issue. The general advice is not to use {CRYPT}. Recommended is to use salted SHA-1 (password scheme {SSHA}).
Well FreeBSD is using MD5 for it's encryption and so is the linux workstation.
This does not say much since there are also MD5-based password hashes in Unix crypt.
Is the LDAP server encrypting the hashes as well?
No, the clear-text password is hashed depending on the password scheme together with a random salt.
They don't look like the hashes in master.password
What is master.password?
:-) FBSD equivalent of /etc/shadow
at all, so I guess it is? And that's one reason why you need to use the PADL scripts when you import /etc/passwd into your LDAP directory?
If you import /etc/shadow or whereever your salted Unix password hashes are stored you would use the platform-specific password scheme {CRYPT}.
The password entry looks like this: userPassword:: e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0=
^^
The double-colon indicates that the value is base64-encoded in the LDIF representation.
$ python -c "print 'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')" {md5}547qEjL5yQnfIp7aDAXd8w==
So this is a plain MD5-hashed password. This password scheme is *not* platform-specific.
So I guess that's why it works logging in from a linux workstation, even though the passwords originally were imported from the FBSD master.passwd file and also works with squid running on the FBSD server.
Is this from your original data?
Yes, taken from the original server's LDAP database.
Do all entries have password values like this? Check that.
Yes, they do!
If yes, then you should not have a problem to migrate this data.
Yet sadly I do have a problem :-/ I have used ldapsearch to confirm that the password hashes are the same on the old & new servers when I use ldapsearch or slapcat to view them. Yet I can't login on the new server. And since the hashes are salted, I can't tell if the actual password is really different.
So I don't know what encoding it's using - is there a setting that controls this? (nothing in slapd.conf that I can see).
There are various relevant settings. But I wonder which component is used for setting the password and which mechanism it uses.
You should also consult the fine articles in the FAQ-O-MATIC:
I'll give that a read tonight and do some more testing.
Cheers,
openldap-technical@openldap.org