Ian Moore wrote:

Hi, I'm trying to migrate my directory from one server to another (I'm building a replacement server and want to test everything before changing over). The old server is FreeBSD 5 with openldap-server-2.3.39 The new one is FreeBSD 7.1 with openldap-server-2.3.43

Why not use OpenLDAP 2.4.16 on the new server. It's marked stable and 2.3.x is not actively maintained anymore.

I thought I would be able to use ldapsearch to dump the contents of the old server to an ldif file and then import it into the new one using ldapadd. [..] So it appears that the passwords for user objects are not being transferred correctly from the old system to the new (all the other information seems correct).

LDAP search is subject to access control. It's good news that you couldn't download userPassword values.

For various reasons I'd strongly recommend to use slapcat on the old server to export the data and slapadd on the new server to import it.

I'm using md5 passwords on both systems (the freebsd default) and I've checked that the new server & the workstation are set to use md5. [..] I also tried using slapcat to create the ldif file, but that made no difference.

Hmm, which password scheme is used? Are the userPassword values prefixed with {MD5} or with {CRYPT}? In the latter case libcrypt on both systems could be incompatible. So this could be another issue. The general advice is not to use {CRYPT}. Recommended is to use salted SHA-1 (password scheme {SSHA}).

If I look at the encrypted password before and after resetting it, the password hashes are different, even though they are supposedly the same password.

This could be because a salt is added before generating the hash.

Ciao, Michael.