Getting the LDAP password from the LDAP Directory
Solution 1
If you specify the encrypted password in the ldif file, the new server should apply the password and the user should be able to use it. I don't know how the users in your server are organized, but here is an example:
dn: uid=johndoe,ou=Users,dc=domain,dc=dom
changetype: modify
userPassword: {SSHA}AUi2EtvAOqFWfCM3hLgi6mcP+uTD6xfp
This changes the password of user johndoe to "sekretPass". There is no need do decrypt the password, it will be done by the LDAP server the next time the user wants to log in.
Solution 2
Why not setup the original LDAP server as a provider and the new server as a consumer, or in other words a master-slave setup? I guess that's the way you should do it anyway -- at the LDAP daemon level. Time to dig in to your slapd.conf!
Related videos on Youtube
03 : 27
18 : 16
07 : 25
08 : 18
01 : 42
rahuL
Updated on September 18, 2022Comments
-
rahuL over 1 year
First up, I know this question's got the potential to be downvoted and closed, nonetheless I think I will go ahead and ask it all the same because our issue is genuine enough.
We have a mail server which runs OpenLDAP for authentication and Postfix+Cyrus. So far, it has been working fine. We have an idea to configure a second mail server, possibly as a failover. Keeping that in mind, we built a server whose configuration part has been completed - i.e in essence, it is an exact duplicate of the original server including the LDAP users.
While creating the LDAP users on the 2nd server, we'd created the user's using a default password. Now, the question is, for the time being, we want to extract the passwords for the users in the original mail server and apply it to the users in the new mail server (using
ldapmodify). The problem is doing andldapsearchfor theuserPasswordgives only the encrypted password.How do we go about applying the old passwords for the users in the new server?
-
Isaac over 10 yearsActually, the password is never decrypted (if it would be easily possible, there would be no use in storing it encrypted in the first place ;)), but the user submitted password is encrypted and then compared to the stored encrypted password.
-
rahuL over 10 yearsWhile I agree that yours is the more efficient way, and ultimately that is what we want to achieve, we're just trying this method out before we get to a master-slave setup
-
user207421 over 10 years@Isaac It is hashed and compared to the hashed password. SSHA is a secure hash algorithm, not an encryption algorithm.
-
Isaac over 10 years@EJP Good point, stackoverflow.com/questions/4948322/… explains the difference. I was thinking of cryptographic hashing, but I wasn't aware of the difference of hashing and encrypting.
