Sam Tran wrote:
On 7/7/05, Sam Tran <> wrote:
On 7/7/05, Rich Megginson <> wrote:
 Sam Tran wrote:
 On 7/7/05, Rich Megginson <> wrote:

 Sam Tran wrote:

 Hi all,

I compiled FDS from the latest sources.

I migrated a user entry from OpenLDAP to FDS as a test. For that user
entry I tried different password hash schemes for the userPassword
attribute and checked if it was successfully migrated to FDS. Here are
the results:

 Did you run this script first -
- to
migrate the data that used MD5 passwords?

 {CRYPT} --> OK
(MD5} --> FAILED
{SHA} --> OK
{SSHA} --> OK

I thought that FDS supported MD5 password hash. Did I miss something?

 Not sure. I would have expected {MD5} to work but not {MD5CRYPT}. See

 Thanks in advance.


 You should not need to run this script to do the migration. This
script just Base64 decodes the userPassword attribute and puts it in
the form {HASH}xxxxxxxx. FDS apparently understands the Base64 encoded
version of the password.

For SHA, SSHA, CRYPT and MD5CRYPT I didn't use this script and the
migration was successful. For MD5 I tried without and with the script:
it was unsuccessful in both cases.

 This is really bizarre, because MD5CRYPT should not work at all - it is not
supported by FDS.  The only thing I can think is that it is interpreting the
value as clear text.

 How did you verify that the migration was successful?


I simply did a ldapsearch with a binddn:
./ldapsearch -h localhost -b "dc=example,dc=com" -D
"uid=joesmith,ou=people,dc=example,dc=com" -w - "objectclass=*"

I create a new user in FDS with a password I generated using this python module:

The hash is MD5CRYPT. And it worked.

Try for yourself.

Don't forget to prepend {CRYPT} to the generated password.
Ah hah.  That's why it works.  But in FDS, {CRYPT} is not the same as MD5 crypt - FDS crypt uses the old unix crypt that used to be the standard for Solaris /etc/passwd and /etc/shadow (and other OSes).

dirving, any clues as to why {MD5} doesn't work?