Convert existing openLDAP password from SSHA to SHA-1
Alexandre Cavalcante Alencar
alexandre.alencar-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Aug 19 19:30:11 UTC 2011
Hi all,
Willian, you can do so by changing *password-hash *param from your
slapd.conf file. This param takes one or more hashing functions to be used
for storing password hashed version.
As stated in slapd.conf (5) man page:
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a
seed as of {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
with a seed.
You can add the following to make your setup work
password-hash {SSHA} {SHA}
or
password-hash {SSHA} {MD5}
This will add a new userPassword attribute to objects when they call the
LDAP Password Modify Extended Operations (RFC 3062).
As of stated in man page:
Note that this option does not alter the normal user applications handling
of userPassword during LDAP Add, Modify, or other LDAP operations.
After making the change in slapd.conf, you need to restart the deamon and
let all users change their passwords (in normal fashion or forced by
password expire).
Best Regards
Alexandre Alencar
Twitter @alexandreitpro
http://blog.alexandrealencar.net/
http://www.alexandrealencar.net/
http://www.alexandrealencar.com
http://www.servicosdeti.com.br/
COBIT, ITIL, CSM, LPI, MCP-I
On Fri, Aug 19, 2011 at 2:50 PM, William Muriithi <
william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Afternoon,
>
> I got a question that I have not found a solution despite tinkering
> with it and googling for weeks. Would like to share it here and hopes
> someone could have a suggestion/solution or just a confirmation this
> may not be possible
>
> I would like to move some users to google services through a postini
> application called "Google Apps Directory Sync". This application only
> supports MD5 and SHA-1. It happen though openLDAP does not hash the
> password as either MD5 or SHA-1 and I am therefore getting an error
> "InvalidHashDigestLength" when I run the postini application.
>
> What I have been looking for is a mean of converting the existing
> password to SHA-1 and I have not been successful. Any pointer advice
> where I can start?
>
> Regards,
>
> William
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110819/f49d9129/attachment.html>
More information about the Legacy
mailing list