[389-users] Re: Imported existing user hashes

I think that historically the way MD5 was represented was really "per product" so our encoding may be different. The source code of md5 in our server is here: https://pagure.io/389-ds-base/blob/master/f/ldap/servers/plugins/pwdstora... https://pagure.io/389-ds-base/blob/master/f/ldap/servers/plugins/pwdstora... So notice our md5 implementation is *unsalted*. So that means that to match your two char salt, you'll need to use the servers crypt support instead, which it looks like you have the format for. First enable password migration: if you don't do this, the server will "rehash" your hash and everything goes bad: cn=config nsslapd-allow-hashed-passwords: on This means you can now directly as cn=Directory Manager write a pre-hashed password to userPassword field. Next, you'll need to make your passwords: {CRYPT}$1$Bq$1C3D9DB22AC6CC3A216E1FA566A642B1 Then supply that to userPassword Finally, test it! See if it works. If not, we'd need to see a sample password I think to help update the code to support your migration. You may want to pay attention to the following PR too: https://pagure.io/389-ds-base/pull-request/50450# This will hopefully be merged soon, and allows the server to "re-hash" your password to a stronger/newer format on bind, not just password change. This will be really helpful for you for a future security improvement over MD5 I hope :) Hope that helps, — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs