We are attempting to sync (via ldap copy) the usernames and passwords of
our FDS LDAP users with an OpenLDAP server. The issue we are running
into is we are fairly new to FDS and can''t figure out how to determine
the SSHA Seed value (which we could then set as the seed on the OpenLDAP
server).
I''ve been searching this morning and have failed to discover anything;
any info would be very useful.
Thanks,
--
Robert r. Sanders
Chief Technologist
iPOV
(334) 821-5412
www.ipov.net
Robert r. Sanders wrote:> We are attempting to sync (via ldap copy) the usernames and passwords of > our FDS LDAP users with an OpenLDAP server. The issue we are running > into is we are fairly new to FDS and can''t figure out how to determine > the SSHA Seed value (which we could then set as the seed on the OpenLDAP > server). > > I''ve been searching this morning and have failed to discover anything; > any info would be very useful.Hi, I don''t think it matters what you set for a SSHA salt (seed) value on the OL side. SHA salts only serve the purpose of ensuring that two hashes of identical data yield different output. Validating two hashes of identical data will succeed, even if they were generated with different salts, and thus look different. BR, -- mike
Robert r. Sanders wrote:> Yeah, but what I want to do is copy the HASH from one server to the other. > >In that case, you don''t need to do anything. If you have FDS set to do hashing in SSHA, and you send a cleartext string as a userPassword modify, then FDS SSHA hashes it for you. If you send a string prefixed with {SSHA} as a userPassword modify, FDS does not hash it for you. -- mike
Yeah, but what I want to do is copy the HASH from one server to the other. Mike Jackson wrote:> Robert r. Sanders wrote: >> We are attempting to sync (via ldap copy) the usernames and passwords >> of our FDS LDAP users with an OpenLDAP server. The issue we are >> running into is we are fairly new to FDS and can''t figure out how to >> determine the SSHA Seed value (which we could then set as the seed on >> the OpenLDAP server). >> >> I''ve been searching this morning and have failed to discover >> anything; any info would be very useful. > > Hi, > I don''t think it matters what you set for a SSHA salt (seed) value on > the OL side. > > SHA salts only serve the purpose of ensuring that two hashes of > identical data yield different output. Validating two hashes of > identical data will succeed, even if they were generated with > different salts, and thus look different. > > BR, > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net
That sounds reasonable; but it doesn''t appear to work. Let me go into
the details a little more:
1. FDS + Samba3 on one server with user''s passwords stored as SSHA
Hashed values.
2. New OpenLDAP install on a different server (used by other services
on that machine, and no they won''t play nice w/ external ldap
server); this server is also setup (already) to store passwords
using SSHA.
3. We want to copy the hashed password value from FDS and put in it
into the OpenLDAP server as the userPassword attribute for the
users; however the other server is using a different sha seed,
therefore when it tries to compare the value entered by the user
to the stored value it fails (as it is using its own seed to
re-hash the password and do the comparison).
So that''s where we stand. Currently have been told to simply set all
users in the OpenLDAP to a default value and make them reset their
passwords on that server if they want to.
Mike Jackson wrote:> Robert r. Sanders wrote:
>> Yeah, but what I want to do is copy the HASH from one server to the
>> other.
>>
>>
>
> In that case, you don''t need to do anything.
>
> If you have FDS set to do hashing in SSHA, and you send a cleartext
> string as a userPassword modify, then FDS SSHA hashes it for you.
>
> If you send a string prefixed with {SSHA} as a userPassword modify,
> FDS does not hash it for you.
>
> --
> mike
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Robert r. Sanders
Chief Technologist
iPOV
(334) 821-5412
www.ipov.net