(Zimbra)OpenLDAP SSHA512

Question

So, our employees use the Zimbra OpenLDAP, however, since this doesnt include PosixAccount we cant automatically link it to our Synology.

So my boss wanted me to create an OpenLDAP Database, and automatically import the Users from the ZimbraLDAP every 6 hours or so and link our Synology to this new OpenLDAP, which would also be a safe enviroment for our inters to work with LDAP.

Before you ask, I cant change the Zimbra OpenLDAP for varanty reasons.

So everything worked splendidly, the User where imported and the Synology could finally see these users. However, the password did not work. After looking over the export files i realized that Zimbra uses SSHA512 to hash the passwords, which isnt recognized by my OpenLDAP.

However, i cant seem to find any way of installing patches for it, since apparently OpenLDAP changed its structure and every information i found was outdated.

Does anybody know of an easy way to teach OpenLDAP SSHA512 with a recent installation?

Answer 1

pw-sha2.so is not enabled by default on stock installation on OpenLDAP.

You would need to edit Makefile and run make and make install from the contrib/slapd-modules/passwd/sha2 directory in your source tree.

Next you need to import sha2 module in OpenLDAP by adding to cn=config the following ldif:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /path/of/directory/with/pw-sha2.so
olcModuleLoad: pw-sha2

For instance in a stock Debian this is done with

ldapadd -H ldapi:/// -Y EXTERNAL -f the_five_lines_above.ldif

Now sinology can recognize sha2 passwords.

Just for reference (I don't think you would need it), if you wish changed passwords on Sinology with ldappasswd be in SSHA-512, add also:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA512}