I've migrated some users from openldap to fds-1.0.4. I got the ldif file with ldapsearch. Then, the resulting user ldif file was transferred to fds through the Directory Server Console via the "Import Databases" option under the "Tasks" tab. Everything seems fine. All users' data are imported to fds which can be verified in the Console.
There's one problem, however. None of these users can log in. Their passwords are rejected with invalid credentials error. However, if I change their passwords manually in the Directory Console, they can log in fine! Is there a way to transfer their passwords correctly?!
Thanks in advance,
SWA
Saied W. Andalib wrote:
I've migrated some users from openldap to fds-1.0.4. I got the ldif file with ldapsearch. Then, the resulting user ldif file was transferred to fds through the Directory Server Console via the "Import Databases" option under the "Tasks" tab. Everything seems fine. All users' data are imported to fds which can be verified in the Console.
There's one problem, however. None of these users can log in. Their passwords are rejected with invalid credentials error. However, if I change their passwords manually in the Directory Console, they can log in fine! Is there a way to transfer their passwords correctly?!
What does a typical user's userPassword attribute look like in the LDIF file from OpenLDAP?
Thanks in advance,
SWA
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Some look like this:
userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA=
Others use SSHA hash:
userPassword: {SSHA}vzuh+zzerKQa3BnzcvUgHF8WwSZydeN+
SWA
Saied W. Andalib wrote:
Some look like this:
userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA=
I'm not sure what this is. Fedora DS expects the userPassword to either be the clear text value userPassword: mypassword or a hash with the hash type in the front userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI==
I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is.
Others use SSHA hash:
userPassword: {SSHA}vzuh+zzerKQa3BnzcvUgHF8WwSZydeN+
SWA
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Thu, Jul 05, 2007 at 11:20:52AM -0600, Richard Megginson wrote:
Saied W. Andalib wrote:
Some look like this:
userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA=
I'm not sure what this is. Fedora DS expects the userPassword to either be the clear text value userPassword: mypassword or a hash with the hash type in the front userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI==
I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is.
The "=" on the end suggests that it's base64, and the example was missing the extra ":" which would indicate that it is. Decoding that gives "{SSHA}oIYyblX7O93dQYbcmyP6Wh1HuDHCkfB0".
Perhaps the value was accidentally converted so that it's actually being stored that way in the directory, when it shouldn't be.
HTH,
Nalin
Some ldapsearch binaries base64-encode password strings in their output. Not sure if this is what's happening for you, or if you actually have the password string stored as a base64 string in your directory database. If you want to decode the base64 strings, this link might be useful for you: http://www.openldap.org/faq/data/cache/1353.html
Nalin Dahyabhai wrote:
On Thu, Jul 05, 2007 at 11:20:52AM -0600, Richard Megginson wrote:
Saied W. Andalib wrote:
Some look like this:
userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA=
I'm not sure what this is. Fedora DS expects the userPassword to either be the clear text value userPassword: mypassword or a hash with the hash type in the front userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI==
I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is.
The "=" on the end suggests that it's base64, and the example was missing the extra ":" which would indicate that it is. Decoding that gives "{SSHA}oIYyblX7O93dQYbcmyP6Wh1HuDHCkfB0".
Perhaps the value was accidentally converted so that it's actually being stored that way in the directory, when it shouldn't be.
HTH,
Nalin
Thanks for replying. It seems ldapsearch converts all the SSHA hashed passwords to some other type maybe base64. Is there a way to get the original {SSHA} hashed passwords back?
SWA
389-users@lists.fedoraproject.org