Hi,
We recently upgraded one of our Apache server from an htpasswd-based authentication to an OpenLdap-based one. As part of this, we had to move users identified by a username+password and faced the problem of converting the APR1 (Apache salted-MD5) hashes to OpenLDAP. We managed to migrate crypt and MD5 ($1$) hashes successfully as they are successfully managed by OpenLdap standard componenents.
This is not the case for APR1 hashes, AFAIK. As documented on OpenLdap site, we built, installed and loaded pw-apr1.so from contrib/ in sources. With Perl Digest::MD5 + MIME::Base64::encode_base64, I have been able to generate a MD5 hash ({MD5} prefix in userPassword) that works with {MD5} so I'm pretty confident that pw-apr1.so works properly.
But I'm stucked with APR1 password as I don't understand what should be done to transform a $apr1$... has into the {APR1}... format. According to an example given in the issue http://www.openldap.org/its/index.cgi/Contrib?id=7869;page=9;statetype=-1 (related to a former bug in apr1.c), $apr1$pepperon$VBD3GaYfoFXuIcZrTw/Y// should transform into {APR1}FK7q3pAf80k0Wh9BYZJ0FHBlcHBlcm9u but I have no clue how to get such a transformation done (does not seem to be a trivial encoding to base64).
Any help would be very much appreciated! Cheers,
Michel
Hi,
it has been too long since I've done some serious brain-breaking over this, but the md5(salt+password) (or something derived from it) is clearly in the first 16 bytes of the LDAP-form ({APR1}FK7q3pAf80k0Wh9BYZJ0FHBlcHBlcm9u) hash:
% echo "FK7q3pAf80k0Wh9BYZJ0FHBlcHBlcm9u" | base64 -d | hexdump -C 00000000 14 ae ea de 90 1f f3 49 34 5a 1f 41 61 92 74 14 |.......I4Z.Aa.t.| 00000010 70 65 70 70 65 72 6f 6e |pepperon| 00000018
As for how this relates to the apache md5 form, you'll probably have to do a critical reading of http://cpansearch.perl.org/src/RSAVAGE/Crypt-PasswdMD5-1.40/lib/Crypt/Passwd... - it appears to do some pretty funky transformations.
Best, Luke
Michel Jouvin wrote:
Hi,
We recently upgraded one of our Apache server from an htpasswd-based authentication to an OpenLdap-based one. As part of this, we had to move users identified by a username+password and faced the problem of converting the APR1 (Apache salted-MD5) hashes to OpenLDAP. We managed to migrate crypt and MD5 ($1$) hashes successfully as they are successfully managed by OpenLdap standard componenents.
This is not the case for APR1 hashes, AFAIK. As documented on OpenLdap site, we built, installed and loaded pw-apr1.so from contrib/ in sources. With Perl Digest::MD5 + MIME::Base64::encode_base64, I have been able to generate a MD5 hash ({MD5} prefix in userPassword) that works with {MD5} so I'm pretty confident that pw-apr1.so works properly.
But I'm stucked with APR1 password as I don't understand what should be done to transform a $apr1$... has into the {APR1}... format. According to an example given in the issue http://www.openldap.org/its/index.cgi/Contrib?id=7869;page=9;statetype=-1 (related to a former bug in apr1.c), $apr1$pepperon$VBD3GaYfoFXuIcZrTw/Y// should transform into {APR1}FK7q3pAf80k0Wh9BYZJ0FHBlcHBlcm9u but I have no clue how to get such a transformation done (does not seem to be a trivial encoding to base64).
Any help would be very much appreciated! Cheers,
ITS#7869 is based on ITS#6826. The conversion you're looking for is there. http://www.openldap.org/its/index.cgi/Contrib?id=6826
Thanks, it definitely seems to be what I was looking for.
Cheers,
Michel Jouvin Sent from my mobile
Envoyé avec AquaMail pour Android http://www.aqua-mail.com
Le 11 avril 2016 14:08:08 Howard Chu hyc@symas.com a écrit :
Michel Jouvin wrote:
Hi,
We recently upgraded one of our Apache server from an htpasswd-based authentication to an OpenLdap-based one. As part of this, we had to move users identified by a username+password and faced the problem of converting the APR1 (Apache salted-MD5) hashes to OpenLDAP. We managed to migrate crypt and MD5 ($1$) hashes successfully as they are successfully managed by OpenLdap standard componenents.
This is not the case for APR1 hashes, AFAIK. As documented on OpenLdap site, we built, installed and loaded pw-apr1.so from contrib/ in sources. With Perl Digest::MD5 + MIME::Base64::encode_base64, I have been able to generate a MD5 hash ({MD5} prefix in userPassword) that works with {MD5} so I'm pretty confident that pw-apr1.so works properly.
But I'm stucked with APR1 password as I don't understand what should be done to transform a $apr1$... has into the {APR1}... format. According to an example given in the issue http://www.openldap.org/its/index.cgi/Contrib?id=7869;page=9;statetype=-1 (related to a former bug in apr1.c), $apr1$pepperon$VBD3GaYfoFXuIcZrTw/Y// should transform into {APR1}FK7q3pAf80k0Wh9BYZJ0FHBlcHBlcm9u but I have no clue how to get such a transformation done (does not seem to be a trivial encoding to base64).
Any help would be very much appreciated! Cheers,
ITS#7869 is based on ITS#6826. The conversion you're looking for is there. http://www.openldap.org/its/index.cgi/Contrib?id=6826
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org
-
Howard Chu -
Lukas Erlacher -
Michel Jouvin