[389-users] Importing Pre-Hashed Passwords

Mark Reynolds mareynol at redhat.com
Mon Mar 10 14:25:44 UTC 2014 

Steven,

What version of 389 are you using?

You can import it using the ldif2db command line tools.  Trying to add 
it using ldapmodify is "not" importing an ldif.  There are explicit 
checks that do not allow to add a prehashed password when adding an 
entry this way.

There is a new "Password Administrators" feature in 1.3.1, where a 
"Password  Admin" can add prehashed passwords using ldapmodify.

But for now, if you just use ldif2db/ldif2db.pl you can add that LDIF 
without issue.

Regards,
Mark


On 03/08/2014 11:35 PM, Steven Crothers wrote:
> Hello,
>
> I'm trying to accomplish a poor mans replication from OpenDS from
> Oracle/Sun. Basically the logic is as follows:
>
> OpenDS is attached to our corporate IDM.
> User is managed in OpenDS.
> User updates information in OpenDS.
> OpenDS read-replica is updated in our local read-slave.
> Python script notices there was a change in our local read-slave.
> Script isolates the change from our read-slave and sends the DNs to
> sync to my 389 (FreeIPA) server.
> FreeIPA replica receives input over the network from notification
> agent which includes DNs.
> DNs attributes are re-organized (OpenDS doesn't use anything logical,
> all 100% custom attributes/objectclasses).
> DNs with re-organized attributes are inserted/updated in 389 server
> (FreeIPA), minus the updated SSHA password hash.
>
> I get an error saying that adding pre-encoded passwords isn't allowed.
> But, that makes me say "How the hell do you import an LDIF" backup,
> and frankly, I can't find anything on the subject (albeit, I
> admittedly didn't quite know how to search this issue either).
>
> I've never seen a server not accept pre-encoded password hashes (or at
> least I don't recall this specific error in OpenDS/LDAP), so my
> question is, how can I store the SSHA password hash from OpenDS in my
> 389server (FreeIPA) server?
>
> Steven Crothers
> steven.crothers at gmail.com
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-- 
Mark Reynolds
389 Development Team
Red Hat, Inc
mreynolds at redhat.com

More information about the 389-users mailing list