1

First up, I know this question's got the potential to be downvoted and closed, nonetheless I think I will go ahead and ask it all the same because our issue is genuine enough.

We have a mail server which runs OpenLDAP for authentication and Postfix+Cyrus. So far, it has been working fine. We have an idea to configure a second mail server, possibly as a failover. Keeping that in mind, we built a server whose configuration part has been completed - i.e in essence, it is an exact duplicate of the original server including the LDAP users.

While creating the LDAP users on the 2nd server, we'd created the user's using a default password. Now, the question is, for the time being, we want to extract the passwords for the users in the original mail server and apply it to the users in the new mail server (using ldapmodify). The problem is doing and ldapsearch for the userPassword gives only the encrypted password.

How do we go about applying the old passwords for the users in the new server?

rahuL
  • 692
  • 3
  • 12
  • 31

2 Answers2

2

If you specify the encrypted password in the ldif file, the new server should apply the password and the user should be able to use it. I don't know how the users in your server are organized, but here is an example:

dn: uid=johndoe,ou=Users,dc=domain,dc=dom
changetype: modify
userPassword: {SSHA}AUi2EtvAOqFWfCM3hLgi6mcP+uTD6xfp

This changes the password of user johndoe to "sekretPass". There is no need do decrypt the password, it will be done by the LDAP server the next time the user wants to log in.

Lacek
  • 7,233
  • 24
  • 28
  • Actually, the password is never decrypted (if it would be easily possible, there would be no use in storing it encrypted in the first place ;)), but the user submitted password is encrypted and then compared to the stored encrypted password. – Isaac Aug 16 '13 at 09:49
  • @Isaac It is *hashed* and compared to the *hashed* password. SSHA is a secure hash algorithm, not an encryption algorithm. – user207421 Nov 28 '13 at 06:55
  • @EJP Good point, http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms explains the difference. I was thinking of _cryptographic_ hashing, but I wasn't aware of the difference of hashing and encrypting. – Isaac Nov 28 '13 at 07:12
1

Why not setup the original LDAP server as a provider and the new server as a consumer, or in other words a master-slave setup? I guess that's the way you should do it anyway -- at the LDAP daemon level. Time to dig in to your slapd.conf!

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
  • While I agree that yours is the more efficient way, and ultimately that is what we want to achieve, we're just trying this method out before we get to a master-slave setup – rahuL Aug 16 '13 at 10:46