Since you are using OpenLDAP, if you have a compatible hashed format (and here), you can enter the hash directly into the userPassword
attribute. Take care that some LDAP clients may second-guess modifications to userPassword
and apply hashing (similar to the way some LDAP servers automatically modify or hash this attribute when written). ldapadd
/ldapmodify
will correctly update the password without re-interpreting it (as long as you don't have a server password policy ppolicy_hash_cleartext
in effect, which might complicate things).
You will need to determine the format you have, and prefix the hash or hash+salt format with type type, e.g. {SHA}xxxxxx
or {SSHA}xxxxxx
(where xxxxxx is a base64 encoded hash or hash+salt respectively).
If it's crypt format, you can enter it with a {crypt}
prefix, but in the case of OpenLDAP you will need to have a build configured with --enable-crypt
, since its use is deprecated. OpenLDAP will use the C library crypt()
function, there can be platform specific variations in its output. On Linux there's a simple workaround, crypt()
is in its own libcrypt
library which you can "adjust" at compile- or run-time. (Also note crypt()
is not re-entrant, so slapd
uses a mutext to protect calls to it.)
See also password-crypt-salt-format
for solving the problem in the other direction: making OpenLDAP store passwords in various crypt formats.
Since you are using Samba, you should research also the smbk5pwd overlay (the README is more useful). Note though this requires password changes to use a proper password modify operation rather than direct modification of userPassword
.
With OpenLDAP you also have the option of delegating password verification to an external system via SASL (also requires non-default build configuration), which may suffice during a migration window until all users reset their passwords. A further option (which often comes as a surprise), is that OpenLDAP also supports multiple passwords per-user, each of which is tried in turn during authentication. While slightly fragile (it requires all writers of the userPassword
attribute to do The Right Thing), it can help with migration, especially when merging multiple systems.