Set already hashed password for user against open ldap

centos openldap hash

5,644

This change operation should use a pre-encryped password (1234 in this case). Note the {CRYPT} prefix, that tells OpenLDAP to use standard CRYPT libraries to validate the password, not the internal methods like {SSHA}.

dn: uid=johndoe,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {CRYPT}$6$NxKjjJP/Jlf$TrtCUMfi1uUpZDtYYvtFO2DlMsxntZ1ulzrTppJkqAZbX1Nv4WhdJ4vJbZcQDyWZVeGadtVQjqUHNZMT1FP8d0

Note: Using {CRYPT} is really only meant as a temporary migration aid away from /etc/shadow. It is better to use {SSHA} passwords with OpenLDAP. See this to lean how to generate these.

5,644

Admin

Updated on September 18, 2022

Comments

Admin almost 2 years
Let me describe the infrastructure I am trying to configure. There is an opne ldap server on centOS (running slapd 2.4.40) as distributed authentication method for a couple of boxes.

Is there a way to modify a user (using ldif file and ldapmodify) to change the password with an already hashed? How to prevent the new hash not to be hashed again?

I had tried a lot of variations on ldif file with no luck. Any ideas ?

The hash configuration on ldap is :
```
password-hash {CRYPT}
password-crypt-salt-format "$5$%.16s"
```
Thanks!

update :

@Sven thanks for your reply. I tried your solution (I had also tried it before) and it seems that it keeps hashing the password... I changed hashing method too. Workaround : assume I'd like to set the password for user george - change ldap configuration to SSHA
```
 password-hash {SSHA}
```
- restart ldap etc
- Hash a new password : (testpassword)
```
[root@vm ~]# slappasswd
New password:
Re-enter new password:
{SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW
```
- prepare ldif file
  
  [root@vm ~]# cat test.ldif dn: cn=george,dc=test,dc=com changetype: modify replace: userPassword userPassword: {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW
- alter user using the previous ldif
  
  [root@vm ~]# ldapmodify -c -a -f ./test.ldif -w 'rootpass!' -D "cn=root,dc=europa,dc=eu" modifying entry "dn: cn=george,dc=test,dc=com"
- check if changes applied successfully
```
[root@vm ~]# ldapsearch -x -w 'rootpass!' -D "cn=root,dc=test,dc=com" -b 
"dc=test,dc=com" -s sub "(objectclass=*)" | grep george -A 3
# george, test, com
dn: cn=george,dc=test,dc=com
loginShell: /bin/bash
sn: Administrator
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCr/fmBCVOx8io4dLnVeagN61ZW
--
cn: george
homeDirectory: /home/george
gidNumber: 33222
uid: george
userPassword:: e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=
```
I suppose that the hashed password should appear on user password on search after user's modification, right ?

But :
```
    {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW !=  
    e1NTSEF9c0s1QVRZYXVoSFpIdld5bzJTaVp0czlhVTFUNnJBdVM=
```
After that I thought if it was encoded (Base64 for example)

But its also different :
```
    [root@ldap01-prototype:~ ] $ echo {SSHA}I5CTI/dn+ppf/XA/Jjz6yu+LRfPWqBQW > 
    test;base64 test
    e1NTSEF9STVDVEkvZG4rcHBmL1hBL0pqejZ5dStMUmZQV3FCUVcK
```