Re: Imported existing user hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On 11 Jul 2019, at 04:31, Matt Shields <matt@xxxxxxxxxx> wrote:
> 
> We're looking at migrating our Solarwinds Serv-U users into 389-ds.  We can export the user's password hashes which use the following format.
> 
> - user password = mytestpass
> - pick two alpha salt (i.e. Bq)
> - new user password = prepend the salt to the user's password (i.e. Bqmytestpass)
> - MD5 new user password and convert to upper case = 1C3D9DB22AC6CC3A216E1FA566A642B1
> - prepend salt to the MD5 = Bq1C3D9DB22AC6CC3A216E1FA566A642B1
> https://support.solarwinds.com/SuccessCenter/s/article/Manually-generate-encrypted-passwords-for-Serv-U
> 
> How can I import and use the existing hashes. I really do not want to ask every single user for a new password, this would take forever.  I came across this article (https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html) which seemed like I could convert the above hash to {MD5}$1$Bq$1C3D9DB22AC6CC3A216E1FA566A642B1 but that didn't seem to work.

I think that historically the way MD5 was represented was really "per product" so our encoding may be different.

The source code of md5 in our server is here:

https://pagure.io/389-ds-base/blob/master/f/ldap/servers/plugins/pwdstorage/md5_pwd.c

https://pagure.io/389-ds-base/blob/master/f/ldap/servers/plugins/pwdstorage/crypt_pwd.c

So notice our md5 implementation is *unsalted*. So that means that to match your two char salt, you'll need to use the servers crypt support instead, which it looks like you have the format for.

First enable password migration: if you don't do this, the server will "rehash" your hash and everything goes bad:

cn=config
nsslapd-allow-hashed-passwords: on

This means you can now directly as cn=Directory Manager write a pre-hashed password to userPassword field.

Next, you'll need to make your passwords:

{CRYPT}$1$Bq$1C3D9DB22AC6CC3A216E1FA566A642B1

Then supply that to userPassword

Finally, test it! See if it works. If not, we'd need to see a sample password I think to help update the code to support your migration.


You may want to pay attention to the following PR too:

https://pagure.io/389-ds-base/pull-request/50450#

This will hopefully be merged soon, and allows the server to "re-hash" your password to a stronger/newer format on bind, not just password change. This will be really helpful for you for a future security improvement over MD5 I hope :) 


Hope that helps,




> 
> Any ideas?
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux