# [SOLVED] Migrate from LDAP to /etc/shadow

## wmgoree

This isn't terribly Gentoo-related except that it's happening on a Gentoo system, but I figured what the heck:

I'm trying to migrate a bunch of users from openLDAP to being normal /etc/shadow & /etc/passwd users. * I slapcatted a nice LDIF of them all and awked that into a file which I catted with /etc/passwd and ran pwconv to make a new /etc/shadow **. The problem is, despite all claims to the contrary, the userPassword tokens from LDAP are *not* in the crypt(3) format /etc/shadow needs. 

Is there a way to get passwords out of openLDAP in a format /etc/shadow reading libraries can understand? Is there a way to tell what hashing or encryption openLDAP is using here? The ideal is for the users to be able to type in the same username and password they used before -- but obviously if LDAP is using some one-way hash that isn't compatible with crypt(3), that will be impossible. I just need to know if it can be done or not, and if so, how?

Thanks!

* Since someone will ask, "Why on earth would you migrate from openLDAP to /etc/shadow?", the answer is for the cash the client is paying me to do it.

** I also tried to run a script that did useradd -p $USERPASSWORD_TOKEN_FROM_LDIF, but that didn't work either

----------

## petrjanda

I doubt you can migrate passwords from LDAP to shadow since i think it would be a potential high security risk. Im not saying its not donable, but in my opinion it would be very hard.

----------

## Anior

The fastest and most accurate way of finding out what algoritm is used will most likely be to check the source.

----------

## curtis119

Moved from OTW. You'll get a much better response in Networking and Security. Any support request that has to do with your gentoo system should go in one of the support forums. OTW is strictly for non-gentoo related things.

----------

## rex123

slapd.conf has a line like

```
   

password-hash {CRYPT}
```

I would expect that the hashing in the ldap database would be using the hash function defined there

[edit: you're not an emacs user, are you? Must create flame-provoking retaliatory sig]

----------

## wmgoree

 *curtis119 wrote:*   

> Any support request that has to do with your gentoo system should go in one of the support forums. OTW is strictly for non-gentoo related things.

 

Thanks, curtis. I'm always iffy on how what should go in the support forums if it doesn't really have to do with Gentoo except for the fact that it happens to be on a Gentoo server (the question would be the same if this were a RHEL box; I just wouldn't have nearly as much community support  :Smile:  )

----------

## wmgoree

 *rex123 wrote:*   

> slapd.conf has a line like
> 
> ```
>    
> 
> ...

 

Bingo! Thanks. There's no line, which means it defaults to SSHA, which means I can tell the client he'll need to rent some time on a hash-collision cluster if he wants to keep going with this idea.

----------

## rex123

Another thing: it can be overridden. The userpassword attribute in ldap has the algorithm in it, like {CRYPT}23489jfgh895 or {MD5}asndfo234nrjkln or whatever.

When you do slapcat, you don't see this, because you see the base64-encoded string.

So, try doing a base64-decode of your slapcat userpasswords. That should tell you the actual algorithm (and maybe give you the right hash to copy to shadow).

----------

