Fedora directory users - Dec 2007 - Migrating RHEL users to Directory Server

Fedora Directory Users,
 
I have a bunch of users currently using local RHEL 4 local unix user
accounts for their usernames and passwords and I would like to migrate
them to Directory Server. My question concerns the MD5 sum password.
 
I tried adding a user joeltest with password joeltest and I got hash:
 
JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0
 
from RHEL but I got hash:
 
WGvQgGYUH2UOX2ZA1IQeyQ= 
>From Directory Server when I set the same password.
 
I''m guessing this is to do with further encodings placed on the
password
hash. Hoping someone has done this before and can point me in the right
direction?
 
Thanks
 
Joel
 
 

The information contained in this e-mail message and any accompanying files is
or may be confidential. If you are not the intended recipient, any use,
dissemination, reliance, forwarding, printing or copying of this e-mail or any
attached files is unauthorised. This e-mail is subject to copyright. No part of
it should be reproduced, adapted or communicated without the written consent of
the copyright owner. If you have received this e-mail in error please advise the
sender immediately by return e-mail or telephone and delete all copies. Fairfax
does not guarantee the accuracy or completeness of any information contained in
this e-mail or attached files. Internet communications are not secure, therefore
Fairfax does not accept legal responsibility for the contents of this message or
attached files.

On Fri, Dec 21, 2007 at 01:51:30PM +1100, Joel Heenan
wrote:
> Fedora Directory Users,
> 
> I have a bunch of users currently using local RHEL 4 local unix user
> accounts for their usernames and passwords and I would like to migrate
> them to Directory Server. My question concerns the MD5 sum password.
> 
> I tried adding a user joeltest with password joeltest and I got hash:
> 
> JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0
> 
> from RHEL but I got hash:
> 
> WGvQgGYUH2UOX2ZA1IQeyQ=
This value is the base64 encoded value of the md5 digest of the password,
and is the same as the md5 digest of "joeltest":
$ echo -n "joeltest" | openssl dgst -md5 -binary | openssl base64
WGvQgGYUH2UOX2ZA1IQeyQ=$

Regards.
> >From Directory Server when I set the same password.
> 
> I''m guessing this is to do with further encodings placed on the
password
> hash. Hoping someone has done this before and can point me in the right
> direction?
> 
> Thanks
> 
> Joel
-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

Ok then so from my reading a bit more into how the Linux MD5 sum is
calculated it seems that because it includes a salt and is otherwise
mangled what I''m attempting to do is impossible and I''ll need
to get
users to set passwords manually. Is this correct?

I was hoping that I could take the Linux PAM MD5 and plonk it inside
Directory Server but this doesn''t seem possible. Unless there is some
plugin designed for this that understands Linux MD5?

Thanks

Joel 
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf 
> Of Jonathan Barber
> Sent: Monday, 24 December 2007 11:49 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Migrating RHEL users to 
> Directory Server
> 
> On Fri, Dec 21, 2007 at 01:51:30PM +1100, Joel Heenan wrote:
> > Fedora Directory Users,
> > 
> > I have a bunch of users currently using local RHEL 4 local 
> unix user 
> > accounts for their usernames and passwords and I would like 
> to migrate 
> > them to Directory Server. My question concerns the MD5 sum password.
> > 
> > I tried adding a user joeltest with password joeltest and I 
> got hash:
> > 
> > JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0
> > 
> > from RHEL but I got hash:
> > 
> > WGvQgGYUH2UOX2ZA1IQeyQ=> 
> This value is the base64 encoded value of the md5 digest of 
> the password, and is the same as the md5 digest of "joeltest":
> $ echo -n "joeltest" | openssl dgst -md5 -binary | openssl 
> base64 WGvQgGYUH2UOX2ZA1IQeyQ== $
> 
> Regards.
> 
> > >From Directory Server when I set the same password.
> > 
> > I''m guessing this is to do with further encodings placed on
the
> > password hash. Hoping someone has done this before and can 
> point me in 
> > the right direction?
> > 
> > Thanks
> > 
> > Joel
> 
> --
> Jonathan Barber
> High Performance Computing Analyst
> Tel. +44 (0) 1382 386389
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
The information contained in this e-mail message and any accompanying files is
or may be confidential. If you are not the intended recipient, any use,
dissemination, reliance, forwarding, printing or copying of this e-mail or any
attached files is unauthorised. This e-mail is subject to copyright. No part of
it should be reproduced, adapted or communicated without the written consent of
the copyright owner. If you have received this e-mail in error please advise the
sender immediately by return e-mail or telephone and delete all copies. Fairfax
does not guarantee the accuracy or completeness of any information contained in
this e-mail or attached files. Internet communications are not secure, therefore
Fairfax does not accept legal responsibility for the contents of this message or
attached files.

On Mon, Dec 31, 2007 at 02:25:21PM +1100, Joel Heenan
wrote:
> Ok then so from my reading a bit more into how the Linux MD5 sum is
> calculated it seems that because it includes a salt and is otherwise
> mangled what I''m attempting to do is impossible and I''ll
need to get
> users to set passwords manually. Is this correct?
Yes.

If you want to postpone having to get your users to reset their
passwords, you could try the pam-passthru plugin:
http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.6&view=auto
> I was hoping that I could take the Linux PAM MD5 and plonk it inside
> Directory Server but this doesn''t seem possible. Unless there is
some
> plugin designed for this that understands Linux MD5?
Not that I know of, but it shouldn''t be that difficult to write using
the existing pwdstorage plugins as a starting point.
> Thanks
> 
> Joel 
> 
> > -----Original Message-----
> > From: fedora-directory-users-bounces@redhat.com 
> > [mailto:fedora-directory-users-bounces@redhat.com] On Behalf 
> > Of Jonathan Barber
> > Sent: Monday, 24 December 2007 11:49 PM
> > To: General discussion list for the Fedora Directory server project.
> > Subject: Re: [Fedora-directory-users] Migrating RHEL users to 
> > Directory Server
> > 
> > On Fri, Dec 21, 2007 at 01:51:30PM +1100, Joel Heenan wrote:
> > > Fedora Directory Users,
> > > 
> > > I have a bunch of users currently using local RHEL 4 local 
> > unix user 
> > > accounts for their usernames and passwords and I would like 
> > to migrate 
> > > them to Directory Server. My question concerns the MD5 sum
password.
> > > 
> > > I tried adding a user joeltest with password joeltest and I 
> > got hash:
> > > 
> > > JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0
> > > 
> > > from RHEL but I got hash:
> > > 
> > > WGvQgGYUH2UOX2ZA1IQeyQ=> > 
> > This value is the base64 encoded value of the md5 digest of 
> > the password, and is the same as the md5 digest of
"joeltest":
> > $ echo -n "joeltest" | openssl dgst -md5 -binary | openssl 
> > base64 WGvQgGYUH2UOX2ZA1IQeyQ== $
> > 
> > Regards.
> > 
> > > >From Directory Server when I set the same password.
> > > 
> > > I''m guessing this is to do with further encodings placed
on the
> > > password hash. Hoping someone has done this before and can 
> > point me in 
> > > the right direction?
> > > 
> > > Thanks
> > > 
> > > Joel
> > 
> > --
> > Jonathan Barber
> > High Performance Computing Analyst
> > Tel. +44 (0) 1382 386389
> > 
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > 
> 
> The information contained in this e-mail message and any accompanying files
is or may be confidential. If you are not the intended recipient, any use,
dissemination, reliance, forwarding, printing or copying of this e-mail or any
attached files is unauthorised. This e-mail is subject to copyright. No part of
it should be reproduced, adapted or communicated without the written consent of
the copyright owner. If you have received this e-mail in error please advise the
sender immediately by return e-mail or telephone and delete all copies. Fairfax
does not guarantee the accuracy or completeness of any information contained in
this e-mail or attached files. Internet communications are not secure, therefore
Fairfax does not accept legal responsibility for the contents of this message or
attached files.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

Jonathan Barber wrote:
> On Mon, Dec 31, 2007 at 02:25:21PM +1100, Joel Heenan wrote:
>   
>> Ok then so from my reading a bit more into how the Linux MD5 sum is
>> calculated it seems that because it includes a salt and is otherwise
>> mangled what I''m attempting to do is impossible and
I''ll need to get
>> users to set passwords manually. Is this correct?
>>     
>
> Yes.
>
> If you want to postpone having to get your users to reset their
> passwords, you could try the pam-passthru plugin:
>
http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.6&view=auto
>
>   
>> I was hoping that I could take the Linux PAM MD5 and plonk it inside
>> Directory Server but this doesn''t seem possible. Unless there
is some
>> plugin designed for this that understands Linux MD5?
>>     
>
> Not that I know of, but it shouldn''t be that difficult to write
using
> the existing pwdstorage plugins as a starting point.
>   
You might try the crypt format.  On most linux platforms, system crypt 
uses MD5.
>   
>> Thanks
>>
>> Joel 
>>
>>     
>>> -----Original Message-----
>>> From: fedora-directory-users-bounces@redhat.com 
>>> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf 
>>> Of Jonathan Barber
>>> Sent: Monday, 24 December 2007 11:49 PM
>>> To: General discussion list for the Fedora Directory server
project.
>>> Subject: Re: [Fedora-directory-users] Migrating RHEL users to 
>>> Directory Server
>>>
>>> On Fri, Dec 21, 2007 at 01:51:30PM +1100, Joel Heenan wrote:
>>>       
>>>> Fedora Directory Users,
>>>>
>>>> I have a bunch of users currently using local RHEL 4 local 
>>>>         
>>> unix user 
>>>       
>>>> accounts for their usernames and passwords and I would like 
>>>>         
>>> to migrate 
>>>       
>>>> them to Directory Server. My question concerns the MD5 sum
password.
>>>>
>>>> I tried adding a user joeltest with password joeltest and I 
>>>>         
>>> got hash:
>>>       
>>>> JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0
>>>>
>>>> from RHEL but I got hash:
>>>>
>>>> WGvQgGYUH2UOX2ZA1IQeyQ=>>>>         
>>> This value is the base64 encoded value of the md5 digest of 
>>> the password, and is the same as the md5 digest of
"joeltest":
>>> $ echo -n "joeltest" | openssl dgst -md5 -binary |
openssl
>>> base64 WGvQgGYUH2UOX2ZA1IQeyQ== $
>>>
>>> Regards.
>>>
>>>       
>>>> >From Directory Server when I set the same password.
>>>>
>>>> I''m guessing this is to do with further encodings
placed on the
>>>> password hash. Hoping someone has done this before and can 
>>>>         
>>> point me in 
>>>       
>>>> the right direction?
>>>>
>>>> Thanks
>>>>
>>>> Joel
>>>>         
>>> --
>>> Jonathan Barber
>>> High Performance Computing Analyst
>>> Tel. +44 (0) 1382 386389
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>       
>> The information contained in this e-mail message and any accompanying
files is or may be confidential. If you are not the intended recipient, any use,
dissemination, reliance, forwarding, printing or copying of this e-mail or any
attached files is unauthorised. This e-mail is subject to copyright. No part of
it should be reproduced, adapted or communicated without the written consent of
the copyright owner. If you have received this e-mail in error please advise the
sender immediately by return e-mail or telephone and delete all copies. Fairfax
does not guarantee the accuracy or completeness of any information contained in
this e-mail or attached files. Internet communications are not secure, therefore
Fairfax does not accept legal responsibility for the contents of this message or
attached files.
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
>

On Thu, 2008-01-03 at 12:35 -0700, Rich Megginson wrote:
> You might try the crypt format.  On most linux platforms, system
> crypt 
> uses MD5.
This will work with hashes from /etc/shadow that start ''$1$''.
It should
also work with the old-style DES hashes that you shouldn''t be using
anymore. For example, if you had a shadow line that read:

username:$1$CxLcjTxD$IRuWOqGVHrXJkJsRdPYqq.:12345:0:99999:7:::

Then the userpassword value would be ''{crypt}$1$CxLcjTxD
$IRuWOqGVHrXJkJsRdPYqq.''