Environment
Novell eDirectory 8.8 for All Platforms
Situation
Passwords can be imported into eDirectory via an LDIF in MD5, SSH, CRYPT, SSHA hash.
The following are the steps required to import the password hash.
The following are the steps required to import the password hash.
Resolution
eDirectory LDAP requires the hash to be in base64 format.
One way to create an MD5 hash in base64 format is to use the following command:
echo -n <password> | openssl md5 -binary | base64
EX: echo -n novell | openssl md5 -binary | base64
Returns: idqALKKBPp73J1bMsH4jVQ== for the text: novell
Add the text returned to an ldif file.
EX: user.ldif
dn: cn=user,ou=users,o=novell
changetype: modify
replace: userPassword
userPassword: {md5}idqALKKBPp73J1bMsH4jVQ==
Ensure there is no password policy applied to the user that will be modified via the ldif file.
Add the following variables to the pre_ndsd_start script and restart ndsd. Default location is /opt/novell/eDirectory/sbin
NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST
Make sure both SIMPLE PASSWORD and DIGEST-MD5 NMAS methods are installed.
Set the SIMPLE PASSWORD method as the default method.
Use ice with the -l option for the LDAP destination hander.
Description of -l option:
Stores password values using the simple password method of the Novell Modular Authentication Service* (NMAS*). Passwords are kept in asecure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers. This improves the speed with which an object that has password information can be loaded.
EX: ice -v -SLDIF -f /tmp/user.ldif -DLDAP -s192.168.0.10 -p389 -dcn=admin,o=novell -w password -B -l
To cause the new password to be added to Universal Password:
Assign a password policy to the user.
Bind as the user with the newly added hashed password using ice. ice has a built in mechanism that will check Simple Password.
EX: ice -v -SLDAP -d cn=user,ou=users,o=novell -w novell -s 192.168.0.100 -p389 -F cn=user -DLDIF -f /tmp/user.out
Test binding using the newly imported password.
EX: /usr/bin/ldapsearch -D cn=user,ou=users,o=novell -U user.users.novell -h 192.168.0.100 -p389 -Y DIGEST-MD5 -b o=novell cn=user dn
One way to create an MD5 hash in base64 format is to use the following command:
echo -n <password> | openssl md5 -binary | base64
EX: echo -n novell | openssl md5 -binary | base64
Returns: idqALKKBPp73J1bMsH4jVQ== for the text: novell
Add the text returned to an ldif file.
EX: user.ldif
dn: cn=user,ou=users,o=novell
changetype: modify
replace: userPassword
userPassword: {md5}idqALKKBPp73J1bMsH4jVQ==
Ensure there is no password policy applied to the user that will be modified via the ldif file.
Add the following variables to the pre_ndsd_start script and restart ndsd. Default location is /opt/novell/eDirectory/sbin
NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST
Make sure both SIMPLE PASSWORD and DIGEST-MD5 NMAS methods are installed.
Set the SIMPLE PASSWORD method as the default method.
Use ice with the -l option for the LDAP destination hander.
Description of -l option:
Stores password values using the simple password method of the Novell Modular Authentication Service* (NMAS*). Passwords are kept in asecure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers. This improves the speed with which an object that has password information can be loaded.
EX: ice -v -SLDIF -f /tmp/user.ldif -DLDAP -s192.168.0.10 -p389 -dcn=admin,o=novell -w password -B -l
To cause the new password to be added to Universal Password:
Assign a password policy to the user.
Bind as the user with the newly added hashed password using ice. ice has a built in mechanism that will check Simple Password.
EX: ice -v -SLDAP -d cn=user,ou=users,o=novell -w novell -s 192.168.0.100 -p389 -F cn=user -DLDIF -f /tmp/user.out
Test binding using the newly imported password.
EX: /usr/bin/ldapsearch -D cn=user,ou=users,o=novell -U user.users.novell -h 192.168.0.100 -p389 -Y DIGEST-MD5 -b o=novell cn=user dn
EX: ndslogin user.users.novell
Additional Information
NOTES:
1. Hashes must be in base64 format to import correctly into eDirectory.
2. Use ice with -l option on the LDAP destination handler so that the password gets imported into the Simple password.
3. Do not use the eDirectory version of ldapsearch to bind using the DIGEST-MD5 password. The eDirectory version of ldapsearch is unable to perform the DIGEST-MD5 authentication.
1. Hashes must be in base64 format to import correctly into eDirectory.
2. Use ice with -l option on the LDAP destination handler so that the password gets imported into the Simple password.
3. Do not use the eDirectory version of ldapsearch to bind using the DIGEST-MD5 password. The eDirectory version of ldapsearch is unable to perform the DIGEST-MD5 authentication.