0

I am looking for a way to migrate a huge Synapse home server database to OpenLDAP without resetting the users' passwords. Migration to LDAP is necessary as we would like to integrate all our online services into each other

Therefore, I am looking for a way to make OpenLDAP understand Synapse's password hashes.

Synapses hashing algorithm is explained here:

pw = unicodedata.normalize("NFKC", password) hashed = bcrypt.hashpw( pw.encode('utf8') + password_pepper.encode("utf8"), bcrypt.gensalt(bcrypt_rounds), ).decode('ascii')

Is it possible to implement such a hashing on OpenLDAP or any other open source LDAP server?

Improve this question

1 Answer 1

Reset to default
1

If bcrypt is a valid algorithm for the underlying system it should work as part of OpenLDAP's CRYPT password storage scheme.

If for instance your existing password hashes look like $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy you should be able to set the userPassword attribute OpenLDAP to {CRYPT}$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy and then authenticate.
(If you're doing this on the commandline make sure that the $text isn't interpreted as a shell variable before being input into the database.)

Improve this answer
3
  • They are $2b$12$...hash... but otherwise this ought to work, at least on a modern Linux system. Commented Feb 13, 2021 at 23:21
  • I am given the following error by OpenLDAP when checking the password: Unrecognized error number: 8192: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. Commented Feb 16, 2021 at 6:23
  • @TheOneWithTheBraid Were you able to figure out a solution? Commented May 1, 2022 at 5:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.