importing users into openldap, with already existing passwds

kcorupe · 05-16-2008, 01:52 PM

I wrote a script to create an ldif file out of a list of usernames and md5 passwds from a psql db, that I use for apache auth. But their original passwords are not working.

The usernames are just a list, and the passwds are just a list in md5 format as well. They are importing correctly, and I can see them in phpldapadmin in the correct area as all the other users.

Here is an example of one of the ldif files I am importing as a test:

Code:

dn: uid=test5,ou=Users,dc=corpedia,dc=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
userPassword: {md5}2b3a1858080c5c2ef9b5b813a6a3b1ea
uid: test5
uidNumber: 7040
gidNumber: 1999
homeDirectory: /home/test5/
cn: test5
sn: test5

Here is the output from when I add the user:

Code:

[kylec@heracross tmp]$ ldapadd -H ldaps://*******.*******.internal -x -D "cn=admin,dc=**********,dc=internal" -f ldaptest.dif -W
Enter LDAP Password: 
adding new entry "uid=test6,ou=Users,dc=corpedia,dc=internal"

Here is what I see in the ldap log as the user tries to authenticate via apache mod_ldap with his original md5 passwd from psql, he fails.

Code:

>>> dnPrettyNormal: <uid=test6,ou=Users,dc=corpedia,dc=internal>
=> ldap_bv2dn(uid=test6,ou=Users,dc=corpedia,dc=internal,0)
<= ldap_bv2dn(uid=test6,ou=Users,dc=corpedia,dc=internal)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=test6,ou=Users,dc=corpedia,dc=internal)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=test6,ou=users,dc=corpedia,dc=internal)=0 
<<< dnPrettyNormal: <uid=test6,ou=Users,dc=corpedia,dc=internal>, <uid=test6,ou=users,dc=corpedia,dc=internal>
do_bind: version=3 dn="uid=test6,ou=Users,dc=corpedia,dc=internal" method=128
==> bdb_bind: dn: uid=test6,ou=Users,dc=corpedia,dc=internal
bdb_dn2entry("uid=test6,ou=users,dc=corpedia,dc=internal")
send_ldap_result: conn=82 op=5 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=6 tag=97 err=49
ber_flush: 14 bytes to sd 23
connection_get(23)
connection_get(23): got connid=82
connection_read(23): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
ber_get_next on fd 23 failed errno=0 (Success)

Once I set the passwd like this:

Code:

[kylec@********* ~]$ ldappasswd -D "cn=admin,dc=********,dc=internal" -W -H ldaps://********.********.internal -x "uid=test5,ou=Users,dc=********,dc=internal"
Enter LDAP Password: 
New password: T2KTlYdb
Result: Success (0)

He can now login successfully.

Any ideas? Is the format possibly wrong for that md5 line? Can I even do what I'm trying to do?

Thanks for any help!

kcorupe · 05-16-2008, 02:36 PM

something that I just realised, for some reason openldap is encoding the password differently.

With phpldapadmin I created a user with an md5 passwd the same as the one I was using before and it was encoded differently I believe. (I changed like 1 char in each because its a used pass, but you can see how they are different)

{MD5}KzoYWAgMXC75tbgTpqOx6x==

{MD5}2b3a1858080c5c2ef9b5b813a6a3b1ea

Does anyone know what I can do about this?