Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 09-26-2011, 11:56 PM   #1
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Rep: Reputation: 32
ldap userPassword to /etc/shadow hash

Hello there

I'm trying to get a the output of openldap's userPassword into a form that I can use in an /etc/shadow file.

At this point I'm getting the following back from my python code:

But i have no idea how this relates to a working password hash / string in /etc/shadow .

Is there a way to take that output and make it something i can insert into /etc/shadow to authenticate against? (preferably using python)

Last edited by chakkerz; 09-26-2011 at 11:57 PM. Reason: code tags wrong
Old 09-27-2011, 01:16 AM   #2
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 156

Rep: Reputation: 44
Hello fellow brisbanite!

Sorry what you have can not be used as a shadow password file which makes use of the GNU crypt() library function. See man crypt for more details.

the shadow file password field not only requires the encrypted password, but also the hashing method and the salt that was used for the encryption to form a character sequence such as
where '5' is for SHA-256 hashing function.
What you have MAY correspond to '{encrypted_password}' part but without a salt that is useless. It also appears to be a little short for a SHA-256 encryption, perhaps it is only SHA-128 which is not supported.

There is also the problem of exactly how OpenLDAP is representing binary data in an ASCII form. It looks like it is a base64 encoding (the = fill characters at the end is a give-a-way), which should be compatible.

In summery, No you can not used it in the shadow file, at least not as is.

Does anyone have info on the OpenLDAPs password hashing method?

Last edited by A.Thyssen; 09-27-2011 at 01:17 AM.
Old 09-27-2011, 02:11 AM   #3
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Original Poster
Rep: Reputation: 32
Yeah I came to that conclusion as well (especially after finding Frantisek Hanzlik's post on the subject that's mirrored everywhere see ).

I've decided to go with clear and storing an md5 hash in the field in a secondary userPassword field, getting python to query for all of the users passwords and then deploying the one that .startswith("$1$") and if none is found using "!!" .

Most of my authentication is handled by sssd, so we'll see how that goes with having two passwords to choose from... and I just (famous last word) need the md5 for FreeBSD and Solaris hosts, so my authentication is managed in a central location.

Thanks for the info!


ldap, shadow, userpassword

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/shadow hash changes? Oxagast Linux - Security 1 12-28-2008 12:07 PM
Need a user friendly tool for users to change ldap userpassword Niceman2005 Linux - Software 3 08-27-2007 08:54 PM
perl + ldap + userPassword hash ANU Programming 1 10-26-2006 10:49 AM
changing the /etc/shadow hash algo. zerg4141 Linux - Security 2 08-07-2006 08:32 PM
LDAP Authentication(UserPassword validation) joeyBig Linux - General 4 09-21-2004 05:50 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:08 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration