Discussion:
iPlanet Directory migration into OpenLDAP
Lloyd H. Meinholz
2003-09-08 10:56:32 UTC
Permalink
I am in the process of migrating from iPlanet Directory Server 5.0 into
OpenLDAP 2.1.22. I think I have the OpenLDAP server set up to my liking
and I am now trying to migrate the ldap data. I am dumping the data from
Directory Server into an ldif file. I am having is with the passwords.
I've been searching and can't seem to figure out how to get the
passwords converted into a form OpenLDAP can deal with. Does anyone have
any pointers etc.? I've been looking through the docs, archives and
google, but haven't found anything yet. Thanks for any pointers,

Lloyd
Michael Ströder
2003-09-09 10:57:59 UTC
Permalink
Post by Lloyd H. Meinholz
I am dumping the data from
Directory Server into an ldif file. I am having is with the passwords.
Should be compatible.
Post by Lloyd H. Meinholz
I've been searching and can't seem to figure out how to get the
passwords converted into a form OpenLDAP can deal with.
You can just re-use the values of attribute 'userPassword' in OpenLDAP.

If passwords are hashed (e.g. {SSHA}) you are stuck with LDAP simple bind
since most SASL mechs (e.g. DIGEST-MD5) need the passwords in clear-text.

Ciao, Michael.
Lloyd H. Meinholz
2003-09-09 17:11:24 UTC
Permalink
Post by Michael Ströder
Post by Lloyd H. Meinholz
I am dumping the data from
Directory Server into an ldif file. I am having is with the passwords.
Should be compatible.
Doesn't seem to be. I used the java gui ldapbrowser to export the ldif
from iPlanet and then to import it into openldap. I've tried
authenticating to the openldap server and it doesn't work.
Post by Michael Ströder
Post by Lloyd H. Meinholz
I've been searching and can't seem to figure out how to get the
passwords converted into a form OpenLDAP can deal with.
You can just re-use the values of attribute 'userPassword' in OpenLDAP.
I do have userPassword in both schema's. What's weird is that after I've
imported the iPlanet ldif into openldap, the userPassword field is of
type BINARY (46b). I have no idea what this means and I can't seem to
change it. I have the password hash set to {SSHA} in slapd.conf and
can't seem to find another setting that resembles BINARY (46b)...
Post by Michael Ströder
If passwords are hashed (e.g. {SSHA}) you are stuck with LDAP simple bind
since most SASL mechs (e.g. DIGEST-MD5) need the passwords in clear-text.
Ciao, Michael.
Thanks for the response,

Lloyd
Joshua Bernstein
2003-09-09 18:39:48 UTC
Permalink
Well if you just dump the hashes from iPlanet and then import the hash
into OpenLDAP you should be alright! It will be in the form of
{SSHA}3wr58a0ew9rsldihjf
or something like that...

Don't forget to migrate the schemas too...
Post by Lloyd H. Meinholz
I am in the process of migrating from iPlanet Directory Server 5.0 into
OpenLDAP 2.1.22. I think I have the OpenLDAP server set up to my liking
and I am now trying to migrate the ldap data. I am dumping the data from
Directory Server into an ldif file. I am having is with the passwords.
I've been searching and can't seem to figure out how to get the
passwords converted into a form OpenLDAP can deal with. Does anyone have
any pointers etc.? I've been looking through the docs, archives and
google, but haven't found anything yet. Thanks for any pointers,
Lloyd
-Joshua Bernstein
Systems Analyst
University of Arizona
Tucson, Arizona, USA
Lloyd H. Meinholz
2003-09-09 18:58:35 UTC
Permalink
How do you dump the hashes from iPlanet? I'm not getting {SSHA} stuff
when I do it via ldapbrowser. I'm getting something like this:

userPassword::
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
==

What the heck is that format???

Lloyd
Post by Joshua Bernstein
Well if you just dump the hashes from iPlanet and then import the hash
into OpenLDAP you should be alright! It will be in the form of
{SSHA}3wr58a0ew9rsldihjf
or something like that...
Don't forget to migrate the schemas too...
Post by Lloyd H. Meinholz
I am in the process of migrating from iPlanet Directory Server 5.0 into
OpenLDAP 2.1.22. I think I have the OpenLDAP server set up to my liking
and I am now trying to migrate the ldap data. I am dumping the data from
Directory Server into an ldif file. I am having is with the passwords.
I've been searching and can't seem to figure out how to get the
passwords converted into a form OpenLDAP can deal with. Does anyone have
any pointers etc.? I've been looking through the docs, archives and
google, but haven't found anything yet. Thanks for any pointers,
Lloyd
-Joshua Bernstein
Systems Analyst
University of Arizona
Tucson, Arizona, USA
Frank Swasey
2003-09-09 19:43:47 UTC
Permalink
Post by Lloyd H. Meinholz
How do you dump the hashes from iPlanet? I'm not getting {SSHA} stuff
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
==
What the heck is that format???
That is base64 encoding of

{SSHA}e—***@F/jZlu7qs/X3RxAl2LSw==

F
Roland Bauerschmidt
2003-09-09 19:53:49 UTC
Permalink
Post by Lloyd H. Meinholz
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
==
What the heck is that format???
LDIF. The double colon indicates that the data is Base64 encoded. In
this case, for instance, the decoded value is:

***@euklid:~$ python
Python 2.3+ (#2, Aug 10 2003, 11:33:47)
[GCC 3.3.1 (Debian)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Post by Lloyd H. Meinholz
import base64
base64.decodestring('e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ==')
'{SSHA}e\***@F/jZlu7qs/X3RxAl2LSw=='
Roland
--
Roland Bauerschmidt
Dieter Kluenter
2003-09-09 21:13:22 UTC
Permalink
Post by Lloyd H. Meinholz
How do you dump the hashes from iPlanet? I'm not getting {SSHA} stuff
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
==
What the heck is that format???
***@marin:~> mmencode -u
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
=={SSHA}***@F/jZlu7qs/X3RxAl2LSw=

base64 encoding of SSHA encrypted password.

-Dieter
Post by Lloyd H. Meinholz
Lloyd
Post by Joshua Bernstein
Well if you just dump the hashes from iPlanet and then import the hash
into OpenLDAP you should be alright! It will be in the form of
{SSHA}3wr58a0ew9rsldihjf
or something like that...
Don't forget to migrate the schemas too...
Post by Lloyd H. Meinholz
I am in the process of migrating from iPlanet Directory Server 5.0 into
OpenLDAP 2.1.22. I think I have the OpenLDAP server set up to my liking
and I am now trying to migrate the ldap data. I am dumping the data from
Directory Server into an ldif file. I am having is with the passwords.
I've been searching and can't seem to figure out how to get the
passwords converted into a form OpenLDAP can deal with. Does anyone have
any pointers etc.? I've been looking through the docs, archives and
google, but haven't found anything yet. Thanks for any pointers,
Lloyd
-Joshua Bernstein
Systems Analyst
University of Arizona
Tucson, Arizona, USA
--
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de
s***@globaleyes.net
2003-09-10 02:45:00 UTC
Permalink
It is interesting how three different base64 decodings of the apparently
the same input each varies in the second character/byte on output.

uudecode -mr
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ==
{SSHA}e?***@F/jZlu7qs/X3RxAl2LSw==

where ghex2 shows the second byte ("?") of the encrypted string as 0x97.
Post by Lloyd H. Meinholz
Post by Lloyd H. Meinholz
How do you dump the hashes from iPlanet? I'm not getting {SSHA} stuff
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
==
What the heck is that format???
e1NTSEF9ZZc5eFc0N1hOT2x2YnNIUzBARi9qWmx1N3FzL1gzUnhBbDJMU3c9PQ
base64 encoding of SSHA encrypted password.
Loading...