2

I am working on a project with a central user database system. One of the requirements of the system is that there should be only one set of users for all the application. FreeRADIUS and Samba are two my applications that both use LDAP as their backend. Since users must be the same for the entire system that contains many other applications, I have to read the list of users from the central database and recreate them in the LDAP directories for Samba and FreeRADIUS. The problem is that users are sent to me from another entity and I can save them in the database with their hash passwords. I don't have access to their cleartext passwords. I am wondering if I could enter directly a hash password for a new user in LDAP with my preferred hash mechanism. If not, can any one tell me what strategy I have to use?

I am running my server on UBUNTU 12.04 and all other applications are the latest versions. My database system is PostgreSQL 9.2.

Thank you

alibaba
  • 417
  • 1
  • 5
  • 13

1 Answers1

3

Since you are using OpenLDAP, if you have a compatible hashed format (and here), you can enter the hash directly into the userPassword attribute. Take care that some LDAP clients may second-guess modifications to userPassword and apply hashing (similar to the way some LDAP servers automatically modify or hash this attribute when written). ldapadd/ldapmodify will correctly update the password without re-interpreting it (as long as you don't have a server password policy ppolicy_hash_cleartext in effect, which might complicate things).

You will need to determine the format you have, and prefix the hash or hash+salt format with type type, e.g. {SHA}xxxxxx or {SSHA}xxxxxx (where xxxxxx is a base64 encoded hash or hash+salt respectively).

If it's crypt format, you can enter it with a {crypt} prefix, but in the case of OpenLDAP you will need to have a build configured with --enable-crypt, since its use is deprecated. OpenLDAP will use the C library crypt() function, there can be platform specific variations in its output. On Linux there's a simple workaround, crypt() is in its own libcrypt library which you can "adjust" at compile- or run-time. (Also note crypt() is not re-entrant, so slapd uses a mutext to protect calls to it.) See also password-crypt-salt-format for solving the problem in the other direction: making OpenLDAP store passwords in various crypt formats.

Since you are using Samba, you should research also the smbk5pwd overlay (the README is more useful). Note though this requires password changes to use a proper password modify operation rather than direct modification of userPassword.

With OpenLDAP you also have the option of delegating password verification to an external system via SASL (also requires non-default build configuration), which may suffice during a migration window until all users reset their passwords. A further option (which often comes as a surprise), is that OpenLDAP also supports multiple passwords per-user, each of which is tried in turn during authentication. While slightly fragile (it requires all writers of the userPassword attribute to do The Right Thing), it can help with migration, especially when merging multiple systems.

mr.spuratic
  • 3,400
  • 19
  • 14