Set already hashed password for user against open ldap

Question

Let me describe the infrastructure I am trying to configure. There is an opne ldap server on centOS (running slapd 2.4.40) as distributed authentication method for a couple of boxes.

Is there a way to modify a user (using ldif file and ldapmodify) to change the password with an already hashed? How to prevent the new hash not to be hashed again?

I had tried a lot of variations on ldif file with no luck. Any ideas ?

The hash configuration on ldap is :

password-hash {CRYPT}
password-crypt-salt-format "$5$%.16s"

Thanks!

update :

@Sven thanks for your reply. I tried your solution (I had also tried it before) and it seems that it keeps hashing the password... I changed hashing method too. Workaround : assume I'd like to set the password for user george - change ldap configuration to SSHA

 password-hash {SSHA}

• restart ldap etc

• Hash a new password : (testpassword)

  [root@vm ~]# slappasswd
  New password:
  Re-enter new password:
  {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW
  

• prepare ldif file

  [root@vm ~]# cat test.ldif dn: cn=george,dc=test,dc=com changetype: modify replace: userPassword userPassword: {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW

• alter user using the previous ldif

  [root@vm ~]# ldapmodify -c -a -f ./test.ldif -w 'rootpass!' -D "cn=root,dc=europa,dc=eu" modifying entry "dn: cn=george,dc=test,dc=com"

• check if changes applied successfully

  [root@vm ~]# ldapsearch -x -w 'rootpass!' -D "cn=root,dc=test,dc=com" -b 
  "dc=test,dc=com" -s sub "(objectclass=*)" | grep george -A 3
  # george, test, com
  dn: cn=george,dc=test,dc=com
  loginShell: /bin/bash
  sn: Administrator
  sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCr/fmBCVOx8io4dLnVeagN61ZW
  --
  cn: george
  homeDirectory: /home/george
  gidNumber: 33222
  uid: george
  userPassword:: e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=
  

I suppose that the hashed password should appear on user password on search after user's modification, right ?

But :

    {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW !=  
    e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=

After that I thought if it was encoded (Base64 for example)

But its also different :

    [root@ldap01-prototype:~ ] $ echo {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW > 
    test;base64 test
    e1NTSEF9STVDVEkvZG4rcHBmL1hBL0pqejZ5dStMUmZQV3FCUVcK

Answer 1

This change operation should use a pre-encryped password (1234 in this case). Note the {CRYPT} prefix, that tells OpenLDAP to use standard CRYPT libraries to validate the password, not the internal methods like {SSHA}.

dn: uid=johndoe,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {CRYPT}$6$NxKjjJP/Jlf$TrtCUMfi1uUpZDtYYvtFO2DlMsxntZ1ulzrTppJkqAZbX1Nv4WhdJ4vJbZcQDyWZVeGadtVQjqUHNZMT1FP8d0

Note: Using {CRYPT} is really only meant as a temporary migration aid away from /etc/shadow. It is better to use {SSHA} passwords with OpenLDAP. See this to lean how to generate these.