2

Let me describe the infrastructure I am trying to configure. There is an opne ldap server on centOS (running slapd 2.4.40) as distributed authentication method for a couple of boxes.

Is there a way to modify a user (using ldif file and ldapmodify) to change the password with an already hashed? How to prevent the new hash not to be hashed again?

I had tried a lot of variations on ldif file with no luck. Any ideas ?

The hash configuration on ldap is : 

password-hash {CRYPT} password-crypt-salt-format "$5$%.16s"

Thanks!

update :

@Sven thanks for your reply. I tried your solution (I had also tried it before) and it seems that it keeps hashing the password... I changed hashing method too. Workaround : assume I'd like to set the password for user george - change ldap configuration to SSHA

 password-hash {SSHA}

  • restart ldap etc

  • Hash a new password : (testpassword)

    [root@vm ~]# slappasswd New password: Re-enter new password: {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW

  • prepare ldif file

    [root@vm ~]# cat test.ldif dn: cn=george,dc=test,dc=com changetype: modify replace: userPassword userPassword: {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW

  • alter user using the previous ldif

    [root@vm ~]# ldapmodify -c -a -f ./test.ldif -w 'rootpass!' -D "cn=root,dc=europa,dc=eu" modifying entry "dn: cn=george,dc=test,dc=com"

  • check if changes applied successfully

    [root@vm ~]# ldapsearch -x -w 'rootpass!' -D "cn=root,dc=test,dc=com" -b "dc=test,dc=com" -s sub "(objectclass=*)" | grep george -A 3 # george, test, com dn: cn=george,dc=test,dc=com loginShell: /bin/bash sn: Administrator sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCr/fmBCVOx8io4dLnVeagN61ZW -- cn: george homeDirectory: /home/george gidNumber: 33222 uid: george userPassword:: e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=

I suppose that the hashed password should appear on user password on search after user's modification, right ?

But :

 {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW != e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=

After that I thought if it was encoded (Base64 for example)

But its also different : 

 [root@ldap01-prototype:~ ] $ echo {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW > test;base64 test e1NTSEF9STVDVEkvZG4rcHBmL1hBL0pqejZ5dStMUmZQV3FCUVcK
Improve this question

1 Answer 1

Reset to default
4

This change operation should use a pre-encryped password (1234 in this case). Note the {CRYPT} prefix, that tells OpenLDAP to use standard CRYPT libraries to validate the password, not the internal methods like {SSHA}. 

dn: uid=johndoe,ou=users,dc=example,dc=com changetype: modify replace: userPassword userPassword: {CRYPT}$6$NxKjjJP/Jlf$TrtCUMfi1uUpZDtYYvtFO2DlMsxntZ1ulzrTppJkqAZbX1Nv4WhdJ4vJbZcQDyWZVeGadtVQjqUHNZMT1FP8d0

Note: Using {CRYPT} is really only meant as a temporary migration aid away from /etc/shadow. It is better to use {SSHA} passwords with OpenLDAP. See this to lean how to generate these.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.