Set already hashed password for user against open ldap
This change operation should use a pre-encryped password (1234
in this case). Note the {CRYPT}
prefix, that tells OpenLDAP to use standard CRYPT
libraries to validate the password, not the internal methods like {SSHA}
.
dn: uid=johndoe,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {CRYPT}$6$NxKjjJP/Jlf$TrtCUMfi1uUpZDtYYvtFO2DlMsxntZ1ulzrTppJkqAZbX1Nv4WhdJ4vJbZcQDyWZVeGadtVQjqUHNZMT1FP8d0
Note: Using {CRYPT}
is really only meant as a temporary migration aid away from /etc/shadow
. It is better to use {SSHA}
passwords with OpenLDAP. See this to lean how to generate these.
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
Let me describe the infrastructure I am trying to configure. There is an opne ldap server on centOS (running slapd 2.4.40) as distributed authentication method for a couple of boxes.
Is there a way to modify a user (using ldif file and ldapmodify) to change the password with an already hashed? How to prevent the new hash not to be hashed again?
I had tried a lot of variations on ldif file with no luck. Any ideas ?
The hash configuration on ldap is :
password-hash {CRYPT} password-crypt-salt-format "$5$%.16s"
Thanks!
update :
@Sven thanks for your reply. I tried your solution (I had also tried it before) and it seems that it keeps hashing the password... I changed hashing method too. Workaround : assume I'd like to set the password for user
george
- change ldap configuration to SSHApassword-hash {SSHA}
restart ldap etc
Hash a new password : (testpassword)
[root@vm ~]# slappasswd New password: Re-enter new password: {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW
prepare ldif file
[root@vm ~]# cat test.ldif dn: cn=george,dc=test,dc=com changetype: modify replace: userPassword userPassword: {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW
alter user using the previous ldif
[root@vm ~]# ldapmodify -c -a -f ./test.ldif -w 'rootpass!' -D "cn=root,dc=europa,dc=eu" modifying entry "dn: cn=george,dc=test,dc=com"
check if changes applied successfully
[root@vm ~]# ldapsearch -x -w 'rootpass!' -D "cn=root,dc=test,dc=com" -b "dc=test,dc=com" -s sub "(objectclass=*)" | grep george -A 3 # george, test, com dn: cn=george,dc=test,dc=com loginShell: /bin/bash sn: Administrator sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCr/fmBCVOx8io4dLnVeagN61ZW -- cn: george homeDirectory: /home/george gidNumber: 33222 uid: george userPassword:: e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=
I suppose that the hashed password should appear on user password on search after user's modification, right ?
But :
{SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW != e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=
After that I thought if it was encoded (Base64 for example)
But its also different :
[root@ldap01-prototype:~ ] $ echo {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW > test;base64 test e1NTSEF9STVDVEkvZG4rcHBmL1hBL0pqejZ5dStMUmZQV3FCUVcK