I'd agree with Gavin. Just go ahead and reset the passwords. Might be a good time to work on a password self-service solution too. ;)
-- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration Gavin Henry wrote: > Zhang Weiwu wrote: >> Dear everyone >> >> I am planing to migrate an Intranet info system to authenticate with >> OpenLDAP, so more of our business can be done with the same login. The >> old system uses their own SQL table to store user information, no >> problem, I can write a script to convert to LDIF format. But md5 was >> used to encrypt user password, and the developer of that system knows >> md5 is cracked, so he encrypted the md5 hash with md5 method again. >> >> clear text password --> md5 hash --> md5 hash of the md5 hash >> >> My question: >> >> 1. Have you ever heard this solution to avoid md5 crack? Now as I >> cannot reach the original system author, I wonder how this idea >> come to be (e.g. why not using SHA). > > not heard of it. > >> 2. Does it work? (is md5 hashed md5 hash much safer with no >> side-effect?) > > Sounds like it would take twice as long. > >> 3. Now, how we can migrate this system to use openldap. AFAIK >> openldap have no direct support for such hash. There are a lot of >> users of the system and there will be problems if migration is >> done and everyone's password is reset.. > > You'd have to get everyone to type in their md5 hash ;-) > > You've no choice but to reset all passwords. Seems like the best time to > do it under the "migration" umbrella. > > Gavin. >
