Importing Encrypted Passwords Into eDirectory


Here's the question:

How do I import an encrypted password from a Linux /etc/shadow file into eDirectory?

Here's the answer Brad researched:

Yes, it is possible to store the encrypted password in eDirectory. First, you need eDirectory 8.6 or above and you need to install the NMAS SE that come with it. The encrypted password is stored in the SimplePassword.

The following TIDs lay the foundation for manipulating eDirectory passwords, specifically with LDAP:

  • Can the simple password be changed using LDAP? - TID-10066348

  • Necessary Rights to manage Simple Password for "Container Administrators" - TID-10070733

Another way is to use ICE to import the encrypted passwords into eDirectory. Here are Brad's notes:

Can the SHA1 password be written to the Simple Password through ConsoleOne?

  • I took a password "thisisatest" and converted it to a SHA1 Base64 password "{SHA}QtSmLFM1CZPqQQaenyz977DfCX0=".

  • I then dropped this password into the Simple Password through ConsoleOne.

  • I then tested authentication through a LDAP client and it failed authentication with a --669 error.

  • The ConsoleOne SNAPIN for NMAS Simple Password will only let you set a Clear Text Password. To get a SHA1 password into Simple Password of the directory it must be changed through LDAP or through custom write application.

How to input a SHA1 password into the Simple Password through ICE

Configuration Information:

  • eDirectory 8.6.2

  • NMAS 2.0 Standard Edition (comes with eDirectory) must be installed and running on all servers with replicas.

  • Note: The Standard Edition of NMAS is included eDirectory 8.6.x. NMAS 2 standard edition contains a limited number of NMAS login methods, namely the NDS method and the Simple Password method. It does not include the Enhanced Password method, and it does not include any third-party login methods. The standard edition will only allow a single Login Method per Login Sequence. It includes no Graded Authentication Support, and no Radius Support.

  • ConsoleOne 1.3.3

  • NDS Import/Export Wizard Snapin Version 85.00.00

Note: During the NMAS installation, the Simple Password login method must be selected and installed to store simple/hashed passwords. The Simple Password login method is not selected and installed by default. You can see if it is installed by looking under your authorized login methods in the Security Container in your tree. If it is not there, reinstall NMAS, selecting the Simple Password login method for installation.

#This LDIF file will change the Simple Password

version: 1

dn: cn=bwilliams,ou=people,dc=ncs,dc=com
changetype: modify
replace: userpassword
userpassword: {SHA}QtSmLFM1CZPqQQaenyz977DfCX0=

The easy way to input this LDIF file is through the Novell's ICE application. Below is the process for importing the LDIF file.

Using ICE as an Import Tool

Run ConsoleOne and run the NDS Import/Export Wizard:

  1. Within ConsoleOne select the Wizards Tab and click on the NDS Import/Export option.

  • Select Import LDIF File and click Next.

  • Select the Source LDIF file and click Next.

  • Select Destination LDAP Server and enter the Admin's Password.

  • Click on the Advanced button.

  • From the Advanced Options page, select the Store NMAS Simple password/Hashed password checkbox and click OK. This will import the SHA1 password into the Simple Password in eDirectory.

  • Now back at the Select Destination LDAP Server screen, click the Next button.

  • Click on the finish button to begin the LDIF import process.


How To-Best Practice
Comment List