I need convert LDAP accounts to passwd/shadow. Problem is password
conversion: from LDAP DB I obtain some as (I know that plain password
is string "heslo"):

userPassword:: e01ENX1sVjJ3dUI3eG1KdEtUZjZ1Z0dHcHBnPT0=

value is base-64 encoded, thus real value is:

echo -n "e01ENX1sVjJ3dUI3eG1KdEtUZjZ1Z0dHcHBnPT0="|base64 -d

which is same value as obtained from:

slappasswd -h {MD5} -s "heslo"

and was evaluated via PHP script aka:

echo '<? $A=base64_encode(pack("H*",md5("heslo"))); echo $A;?>' | php

It is simple to obtain full 128-bit hex MD5 hash by reverting this:

echo '<? $A=unpack("H*",base64_decode("lV2wuB7xmJtKTf6ugGGppg==")); echo 

Result is right, as may be validated by:

echo -n "heslo"|md5sum
echo -n "heslo"|openssl dgst -md5 -hex

But now, how convert it to form used in /etc/shadow? "Normal" shadow
password entry has form "$1$" "salt(usually 8 chars)" "$" "22chars digest".
I was in hope this may be done with empty salt, as generated with cmd:

openssl passwd -1 -salt "" "heslo"

This is quite valid /etc/shadow password value and authentication work
fine with it, but how convert LDAP md5 hash to this form? Both have 22chars:
lV2wuB7xmJtKTf6ugGGppg        # LDAP base-64 value
1dziKo9JPNdLlVrGfqIBG.        # MD5 crypt() value

but are different. I found on Internet mail from Mr. Howard Chu:
where is stated:
"base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses
the characters ./[0-9][A-Z][a-z] (in those exact orders)."

But things are probably more difficult then I imagined, simple conversion
in style:

CRYPT_HASH=`echo "$BASE64_HASH"|tr 'A-Za-z0-9+/' './0-9A-Za-z'`

not work.

Is this problem ever solvable?
Is idea of empty salt real, and problem is only in conversion between
6-bit DES crypt() encoding and base-64 encoding?
Have someone any knowledge about this?

Thanks in advance. Sorry for my English.
Frantisek Hanzlik 

Reply via email to