PHWinfo - Afficher un message - import a md5 hash to openldap userpassword

17/06/2007, 03h30

On Sun, Jun 17, 2007 at 01:03:30AM +0200, Martin Marcher wrote:
> Hello,
>
> this will probably land on some ldap ldap list but maybe someone knows
> offhand:
>
> i have a couple of users in a database with the passwords stored as md5
> hashes
>
> something like
>
> "alice" "3858f62230ac3c915f300c664312c63f" (foobar in plaintext)
>
> Now i want to import alice into ldap
>
> dn: uid=alice,dc=example,dc=com
> objectClass: simpleSecurityObject
> userpassword: {MD5}3858f62230ac3c915f300c664312c63f
>
> which doesn't really work. I found serveral that suggested using a
> base64 encoded string
>
IIRC, the MD5 format used by ldap, login and so on, is not the same as a
vanilla md5 hash. That is, the password uses a salt and a modified md5
algorithm. Without having the plaintext passwords, I am not sure how
you can convert one to the other.

As a side note, if you are using this ldap for login authentication, you
want to make sure that your clients are configured to use 'pam_password
exop' so that the password hashing gets handled on the server. Of
course, this means that you want an SSL link to your ldap server.

Regards,

-Roberto

--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGdIy91snWssAFC08RAlQZAJkB+9Xex469Y+xobJg7TD 1KNYo6wgCgmOqw
ee6Bk6X4kA0vb5MQ0BxrZYY=
=NC5H
-----END PGP SIGNATURE-----

17/06/2007, 03h30	#2
Roberto C. Sánchez Messages: n/a Hébergeur:	Re: import a md5 hash to openldap userpassword On Sun, Jun 17, 2007 at 01:03:30AM +0200, Martin Marcher wrote: > Hello, > > this will probably land on some ldap ldap list but maybe someone knows > offhand: > > i have a couple of users in a database with the passwords stored as md5 > hashes > > something like > > "alice" "3858f62230ac3c915f300c664312c63f" (foobar in plaintext) > > Now i want to import alice into ldap > > dn: uid=alice,dc=example,dc=com > objectClass: simpleSecurityObject > userpassword: {MD5}3858f62230ac3c915f300c664312c63f > > which doesn't really work. I found serveral that suggested using a > base64 encoded string > IIRC, the MD5 format used by ldap, login and so on, is not the same as a vanilla md5 hash. That is, the password uses a salt and a modified md5 algorithm. Without having the plaintext passwords, I am not sure how you can convert one to the other. As a side note, if you are using this ldap for login authentication, you want to make sure that your clients are configured to use 'pam_password exop' so that the password hashing gets handled on the server. Of course, this means that you want an SSL link to your ldap server. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGdIy91snWssAFC08RAlQZAJkB+9Xex469Y+xobJg7TD 1KNYo6wgCgmOqw ee6Bk6X4kA0vb5MQ0BxrZYY= =NC5H -----END PGP SIGNATURE-----