import a md5 hash to openldap userpassword

17/06/2007, 00h10

Hello,

this will probably land on some ldap ldap list but maybe someone knows offhand:

i have a couple of users in a database with the passwords stored as md5 hashes

something like

"alice" "3858f62230ac3c915f300c664312c63f" (foobar in plaintext)

Now i want to import alice into ldap

dn: uid=alice,dc=example,dc=com
objectClass: simpleSecurityObject
userpassword: {MD5}3858f62230ac3c915f300c664312c63f

which doesn't really work. I found serveral that suggested using a
base64 encoded string

so I tried:

userpassword:: Mzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2Y=
userpassword: {MD5}Mzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2Y=

all to no avail.

any hints on the right format (I don't have the plaintext passwords
and I'd prefer not to spend time with brute forcing them)

thanks
martin

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 02h30

On Sun, Jun 17, 2007 at 01:03:30AM +0200, Martin Marcher wrote:
> Hello,
>
> this will probably land on some ldap ldap list but maybe someone knows
> offhand:
>
> i have a couple of users in a database with the passwords stored as md5
> hashes
>
> something like
>
> "alice" "3858f62230ac3c915f300c664312c63f" (foobar in plaintext)
>
> Now i want to import alice into ldap
>
> dn: uid=alice,dc=example,dc=com
> objectClass: simpleSecurityObject
> userpassword: {MD5}3858f62230ac3c915f300c664312c63f
>
> which doesn't really work. I found serveral that suggested using a
> base64 encoded string
>
IIRC, the MD5 format used by ldap, login and so on, is not the same as a
vanilla md5 hash. That is, the password uses a salt and a modified md5
algorithm. Without having the plaintext passwords, I am not sure how
you can convert one to the other.

As a side note, if you are using this ldap for login authentication, you
want to make sure that your clients are configured to use 'pam_password
exop' so that the password hashing gets handled on the server. Of
course, this means that you want an SSL link to your ldap server.

Regards,

-Roberto

--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGdIy91snWssAFC08RAlQZAJkB+9Xex469Y+xobJg7TD 1KNYo6wgCgmOqw
ee6Bk6X4kA0vb5MQ0BxrZYY=
=NC5H
-----END PGP SIGNATURE-----

17/06/2007, 00h10	#1
Martin Marcher Messages: n/a Hébergeur:	import a md5 hash to openldap userpassword Hello, this will probably land on some ldap ldap list but maybe someone knows offhand: i have a couple of users in a database with the passwords stored as md5 hashes something like "alice" "3858f62230ac3c915f300c664312c63f" (foobar in plaintext) Now i want to import alice into ldap dn: uid=alice,dc=example,dc=com objectClass: simpleSecurityObject userpassword: {MD5}3858f62230ac3c915f300c664312c63f which doesn't really work. I found serveral that suggested using a base64 encoded string so I tried: userpassword:: Mzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2Y= userpassword: {MD5}Mzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2Y= all to no avail. any hints on the right format (I don't have the plaintext passwords and I'd prefer not to spend time with brute forcing them) thanks martin -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 02h30	#2
Roberto C. Sánchez Messages: n/a Hébergeur:	Re: import a md5 hash to openldap userpassword On Sun, Jun 17, 2007 at 01:03:30AM +0200, Martin Marcher wrote: > Hello, > > this will probably land on some ldap ldap list but maybe someone knows > offhand: > > i have a couple of users in a database with the passwords stored as md5 > hashes > > something like > > "alice" "3858f62230ac3c915f300c664312c63f" (foobar in plaintext) > > Now i want to import alice into ldap > > dn: uid=alice,dc=example,dc=com > objectClass: simpleSecurityObject > userpassword: {MD5}3858f62230ac3c915f300c664312c63f > > which doesn't really work. I found serveral that suggested using a > base64 encoded string > IIRC, the MD5 format used by ldap, login and so on, is not the same as a vanilla md5 hash. That is, the password uses a salt and a modified md5 algorithm. Without having the plaintext passwords, I am not sure how you can convert one to the other. As a side note, if you are using this ldap for login authentication, you want to make sure that your clients are configured to use 'pam_password exop' so that the password hashing gets handled on the server. Of course, this means that you want an SSL link to your ldap server. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGdIy91snWssAFC08RAlQZAJkB+9Xex469Y+xobJg7TD 1KNYo6wgCgmOqw ee6Bk6X4kA0vb5MQ0BxrZYY= =NC5H -----END PGP SIGNATURE-----

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email