Re: How to convert Solaris m5 passwords to LDAP?
Christian Schmidt wrote: Hello Howard, thank you very much for your reply. Howard Chu, 10.11.2010 (d.m.y): No conversion is necessary, as long as you built OpenLDAP with --enable-crypt and you're using the native C library's crypt() (and not e.g. OpenSSL's crypt()) I just gave this a try and changed a user's password to password which resulted in the MD5 hash $md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0. I created an LDIF file with the following line and imported it into the directory: userPassword: {CRYPT}$md5$4bNuD9JW$$P/Lr2qkcw9wv1yYNokfQG0 The phrase after {CRYPT}) is the hash Solaris put in its /etc/shadow. After importing this line into the LDAP directory, I could *not* login as the corresponding user using the password password. :-( (And the slapd is actually running on Solaris.) It is not: We're running OpenLDAP on Debian GNU/Linux... Then you have no chance. Notice I said and in all of those conditions above. Since you have not met all of the conditions, this cannot work. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: How to convert Solaris m5 passwords to LDAP?
Hello Dan, Dan White, 12.11.2010 (d.m.y): What is doing the authentication? Are you using pam_unix via an ldap nss module, or maybe pam_ldap? We're using pam_ldap. If pam_unix, see pam_unix/passverify.c in the pam source, which expects an md5 hash to have the format of: $1$SALT$HASH like: $1$6biGTEUt$FrTcXRocuExNsLZItn06l1 However, you have two dollar signs after your salt, and I don't know that indicates. I tried playing around with your hash but couldn't get it to match 'password' on my Debian system. That's why I suppose that Solaris' MD5 has not that much in common with GNU MD5. *All* MD5 hashes in Solaris' /etc/shadow start with $md5$. Gruss/Regards, Christian Schmidt -- Q: Why was Stonehenge abandoned? A: It wasn't IBM compatible.
Re: How to convert Solaris m5 passwords to LDAP?
Hello Howard, Howard Chu, 12.11.2010 (d.m.y): Christian Schmidt wrote: It is not: We're running OpenLDAP on Debian GNU/Linux... Then you have no chance. Notice I said and in all of those conditions above. Sorry. Since you have not met all of the conditions, this cannot work. Well - as I would like to understand it a little bit more, could you please drop some more words on why it cannot work? Seems I didn't get the message yet. Do the Solaris (crypt?) librarys automatically enable slapd running on Solaris to handle Sun's MD5 hashed passwords? And is it exactly this what is missing on the linux side? Thank you very much! Gruss/Regards, Christian Schmidt -- A few hours grace before the madness begins again.
Re: How to convert Solaris m5 passwords to LDAP?
--On Friday, November 12, 2010 8:09 PM +0100 Christian Schmidt christ...@siebenbergen.de wrote: Do the Solaris (crypt?) librarys automatically enable slapd running on Solaris to handle Sun's MD5 hashed passwords? And is it exactly this what is missing on the linux side? http://www.openldap.org/faq/index.cgi?_highlightWords=cryptfile=344 --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
How to convert Solaris m5 passwords to LDAP?
Hi all, we want to switch a server machine from Solaris (credentials stored in traditional passwd and shadow file) to Debian with OpenLDAP for authentication. Creating LDIF files from /etc/passwd and /etc/shadow using PADL's migrationtools is working fine. The only problem is, that many user passwords on the Solaris machine have been encrypted using Sun's md5 scheme which results in hashes beginning with the characters $md5$. These hashes can be imported into our LDAP directory, but they cannot be used for authentication: Each attempt results in access denied on the client side and LDAP bind errors on the server side. Even when adding the user information to /etc/passwd and /etc/shadow on the Linux machine, there's no success. With CRYPT password hashes, everything works fine. Do you know any means to convert these Solaris-md5-hashed password strings into something we can use with OpenLDAP? I appreciate your helpful answers. Thanks in advance! Gruss/Regards, Christian Schmidt -- You have an ability to sense and know higher truth.
Re: How to convert Solaris m5 passwords to LDAP?
Christian Schmidt wrote: Hi all, we want to switch a server machine from Solaris (credentials stored in traditional passwd and shadow file) to Debian with OpenLDAP for authentication. Creating LDIF files from /etc/passwd and /etc/shadow using PADL's migrationtools is working fine. The only problem is, that many user passwords on the Solaris machine have been encrypted using Sun's md5 scheme which results in hashes beginning with the characters $md5$. These hashes can be imported into our LDAP directory, but they cannot be used for authentication: Each attempt results in access denied on the client side and LDAP bind errors on the server side. Even when adding the user information to /etc/passwd and /etc/shadow on the Linux machine, there's no success. With CRYPT password hashes, everything works fine. Do you know any means to convert these Solaris-md5-hashed password strings into something we can use with OpenLDAP? I appreciate your helpful answers. Thanks in advance! No conversion is necessary, as long as you built OpenLDAP with --enable-crypt and you're using the native C library's crypt() (and not e.g. OpenSSL's crypt()) and the password is stored with the {crypt} tag. (And the slapd is actually running on Solaris.) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/