migrating from crypt to md5

Hello,

I have nicely running Solaris 9 with 40k+ users authenticating
(with the help of pam_ldap) against OpenLDAP on another server
using clear passwords over SSL.

Attribute userPassword is (after migration from /etc/shadow) in
{crypt} format.

Is there an easy way to slowly migrate to {md5} passwords?

I was trying to manually put {md5} password in userPassword (19 chars
long, because that's the motive for change), but then given user does
not authenticate anymore. I thought slowly putting md5 passwords in
userPassword would suffice (I have own WWW interface for changing
passwords where it would be very easy to do), but I cannot ldap_bind()
with a password that is kept in {md5} format in userPassword.

Any hints?

p.

--
Beware of he who would deny you access to information, for in his
heart he dreams himself your master.   -- Commissioner Pravin Lal

On Tue, Oct 30, 2007 at 07:05:37PM +0100, Piotr KUCHARSKI wrote:
> I was trying to manually put {md5} password in userPassword (19 chars
> long, because that's the motive for change), but then given user does
> not authenticate anymore. I thought slowly putting md5 passwords in
> userPassword would suffice (I have own WWW interface for changing
> passwords where it would be very easy to do), but I cannot ldap_bind()
> with a password that is kept in {md5} format in userPassword.

OK, I've found out, what was the problem. I've encoded "test" like that:
userPassword: {md5}$1$Uw9.1Ii4$0jb1EJmSPz66XpgF/jCsW.
while I should've used different format:
userPassword: {md5}CY9rzUYh03PK3k6DJie09g==

Now OpenLDAP is happily binding the user and everything seems to work,
changing passwords locally (with passwd) also works as expected.

p.

--
Beware of he who would deny you access to information, for in his
heart he dreams himself your master.   -- Commissioner Pravin Lal