[Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow

Frantisek Hanzlik franta at hanzlici.cz
Thu Jan 1 10:50:52 UTC 2009

Howard Chu wrote:
 >> fedora-directory-users-request redhat com wrote:
 >>    dennis demarco com wrote:
 >>>     I would like to export the MD5 hash from the Fedora directory user's password
 >>>     attribute into /etc/shadow of a Linux machine not in LDAP (Redhat).
 >>>     It appears this isn't working, is there a way for me to do this?
 >>>     Not all machines are using ldap but I would like to export from ldap.

 >>   Hi,
 >>   I haven't tried this, but here's an idea just off the top of my head which _might_ work:
 >>    1. take away the {MD5} from the string
 >>    2. base64 decode the rest of the string
 >>    3. convert the string to hex
 >>    4. put the $1$ at the front of the hex string
 >>    5. put the whole string into the password field in /etc/shadow and test
 >>    If that works, you could write a perl script to automate the procedure. And report back to the list as well :-)
 > No, the password field is not in hex, it uses the same 6-bit encoding
 > that DES crypt() uses, which is different from base64.
 > base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses
 > the characters ./[0-9][A-Z][a-z] (in those exact orders).
 > --
 >  -- Howard Chu
 > Chief Architect, Symas Corp.   http://www.symas.com
 > Director, Highland Sun   http://highlandsun.com/hyc
 > OpenLDAP Core Team  http://www.openldap.org/project/
I found this 2 years old thread. I have same task - convert LDAP values
to passwd/shadow, and solve password conversion. But I'm still out of luck.
I have idea utilize something as MD5 crypt() with empty salt - this
probably work, as when I create password in manner:

openssl passwd -1 -salt "" "heslo"

then result is working, with it in shadow I can authenticate and all work
OK. Salt is empty - after "$1$" signature immediately follow salt/hash
delimiter "$", and then as usually 22 chars hash.
But result of MD5 password created e.g. with command:

slappasswd -h {MD5} -s "heslo"

(values coded in this manner I have in LDAP DB. Isn't problem convert
among different formats, eg:
echo -n "heslo"|md5sum
echo -n "heslo"|openssl dgst -md5 -hex

echo '<? $A=base64_encode(pack("H*",md5("heslo"))); echo $A;?>' | php

And it is simple to obtain full 128-bit hex MD5 hash by reverting LDAP values:

echo '<? $A=unpack("H*",base64_decode("lV2wuB7xmJtKTf6ugGGppg==")); echo $A[1];?>'|php
Generally, I have convert 22 char long base-64 value to 22 char long
value as generated by MD5 crypt():

lV2wuB7xmJtKTf6ugGGppg        # LDAP base-64 value
1dziKo9JPNdLlVrGfqIBG.        # MD5 crypt() value

Both uses 6-bit encoding, first with charset "[A-Z][a-z][0-9]+/", second
the characters "./[0-9][A-Z][a-z]". But simple conversion as this:

CRYPT_HASH=`echo "$BASE64_HASH"|tr 'A-Za-z0-9+/' './0-9A-Za-z'`

not work.

Is this problem ever solvable?
Had someone in this thread success with solving this problem?
Is idea of empty salt real, and problem is only in conversion between
6-bit DES crypt() encoding and base-64 encoding?
Have someone any knowledge about this?

Thanks in advance,
Franta Hanzlik

More information about the 389-users mailing list