2

So, our employees use the Zimbra OpenLDAP, however, since this doesnt include PosixAccount we cant automatically link it to our Synology.

So my boss wanted me to create an OpenLDAP Database, and automatically import the Users from the ZimbraLDAP every 6 hours or so and link our Synology to this new OpenLDAP, which would also be a safe enviroment for our inters to work with LDAP.

Before you ask, I cant change the Zimbra OpenLDAP for varanty reasons.

So everything worked splendidly, the User where imported and the Synology could finally see these users. However, the password did not work. After looking over the export files i realized that Zimbra uses SSHA512 to hash the passwords, which isnt recognized by my OpenLDAP.

However, i cant seem to find any way of installing patches for it, since apparently OpenLDAP changed its structure and every information i found was outdated.

Does anybody know of an easy way to teach OpenLDAP SSHA512 with a recent installation?

Julian Kurz
  • 93
  • 1
  • 9
  • Please, look at http://community.zimbra.com/collaboration/f/1886/t/1137861 – drvtiny Aug 27 '15 at 12:01
  • I have looked at this. This also requires to change the Zimbra, it does not, however, teach OpenLDAP SSHA512. – Julian Kurz Aug 27 '15 at 13:59
  • It doesnt require to modify any Zimbra code, it require only to change Zimbra's authentication method to "external Directory Server". What problems do you have with the sha2 module? ( https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2 ). Is it deprecated for newer versions of OpenLDAP? – drvtiny Aug 27 '15 at 14:12
  • Yes, they dont even use the slapd.conf anymore, so all these fixes wont work actually. And changing to external Directory Server is indeed something to consider, but it would be preferred if we could keep the current LDAP setup – Julian Kurz Aug 27 '15 at 14:35
  • Have you got the compiled sha2.so module? It can be loaded with olcModuleLoad as any other module, if it was compiled properly... – drvtiny Aug 27 '15 at 14:45
  • Sorry, compiled module will be pw-sha2.la. To build it, go to `contrib/slapd-modules/passwd/sha2` and `make -j$(fgrep -c processor /proc/cpuinfo)` – drvtiny Aug 27 '15 at 15:00
  • Just compiled and loaded pw-sha2.la, {SSHA512} works for me! I've set olcPasswordHash: {SSHA512} and all new passwords created with ldappasswd is in SSHA512. ldapwhoami (check for proper bind operation) works as expected too. So... you need to compile and load pw-sha2 module from the standart OpenLDAP source distribution. – drvtiny Aug 27 '15 at 17:34
  • According to http://www.openldap.org/its/index.cgi/Incoming?id=7802;page=26 you cant use olcPasswordHash: {SSHA512} in cn=config at startup. So, if you really need to create create|write password hashes with internal server mechanism such as ldapasswd, you need to change olcPasswordHash to "{SSHA512}" in server startup script and return its default value ("{SSHA}") in the server "stop" script. – drvtiny Aug 28 '15 at 09:43

0 Answers0