[Pkg-openldap-devel] Bug#592362: Please ship apr1 password module as well

[Ryan Tandy]

Hi Andras,

On 09/03/12 03:26 AM, Andras Korn wrote:
> while you're at it, please also include the apr1 password module.
>
> It's indispensable for migrating to LDAP from old apache-style htpasswd
> files that use md5 password hashes.

I've built this module and now I'm trying to test it.

When I set "password-hash {APR1}" in slapd.conf, or invoking 
slappasswd(8) with "-h '{APR1}'", I can successfully authenticate using 
the resulting hash, so that round-trip works.

I downloaded the atol.pl and ltoa.pl scripts linked from the ITS [1], 
but I haven't succeeded at importing an existing htpasswd file:

$ htpasswd -cb htpasswd user password
Adding password for user user
$ ./atol.pl htpasswd
user:{APR1}Mqs4EQHH/l97ZHwf+PFowGhHT0xPMGZ0
$ ldapadd -x -D cn=root,dc=example,dc=com -W
Enter LDAP Password:
dn: uid=test,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
userPassword: {APR1}Mqs4EQHH/l97ZHwf+PFowGhHT0xPMGZ0
adding new entry "uid=test,dc=example,dc=com"

$ ldapwhoami -x -D uid=test,dc=example,dc=com -w password
ldap_bind: Invalid credentials (49)

The reverse also doesn't work for me:

$ slappasswd -o module-load=pw-apr1 -h '{APR1}' -s password
{APR1}0+fJzuJZDLQLBvJlAYhtKXJTT1pLc2xU
$ echo 'user:{APR1}0+fJzuJZDLQLBvJlAYhtKXJTT1pLc2xU' | ./ltoa.pl | tee 
htpasswd
user:$apr1$rSOZKslT$/kko6GvthhEmdMUnN7jsZ/
$ htpasswd -vb htpasswd user password
password verification failed

And openssl(1) agrees with htpasswd(1) about the hash being wrong:

$ openssl passwd -apr1 -salt rSOZKslT password
$apr1$rSOZKslT$jALiGHT7TazNzS0w58JPW.

Do you see an obvious mistake that I made above?

Is this the same method you used to import hashes for use with pw-apr1?

[1] http://www.openldap.org/its/?findid=6826

thanks,
Ryan