Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Migrating accounts/users from passwd/shadow file?

  1. #1
    Join Date
    Sep 2005
    Posts
    36
    Rep Power
    10

    Default Migrating accounts/users from passwd/shadow file?

    Greetings! How can i migrate user accounts from passwd/shadow file? Thanks

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    You'd need to write a script that call our zmprov commnad line tool. We don't provide automatic migration of /etc/passwd today.

  3. #3
    Join Date
    Sep 2005
    Posts
    36
    Rep Power
    10

    Default

    Yep. A perl script that parses passwd file is easy. Im troubled with how zmprov accepts password. I tried executing zmprov with:

    zmprov ca joe@mydomain.com crypt{<crypted_text_from_shadow_file>}

    but it seems that it doesnt understand 'crypt'-ing my entered password

    Please enlighten me with this. Thanks

  4. #4
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    The password you pass into zmprov is itself turned into a salted-SHA password {SSHA}.

    We can do what you want, but it is tricky today:

    (1) you'd have to create the accounts first, with a random password

    (2) you'd have to then modify all the LDAP zimbraAccount entries and change the userPassword attribute to be the "{crypt}...." form.

    (3) you'd have to configure the domain to use external LDAP authentication, and point it back at the LDAP server. The reason being when we auth internally against our openldap, we don't bind, we already have the userPassword attr value, so we compute the SSHA of the cleartext password and compare.

    There are other issues, like when you change passwords we would "upgrade" the password to SSHA, etc.

    We can file a feature request to be more flexible to allow existing password encodings to be migrated into the Zimbra system.

    roland

  5. #5
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    I've just fixed this (bug 7691). If the password in OpenLDAP isn't in SSHA format, we'll fallback to binding to our OpenLDAP server as the user trying to login, so all the passwords that OpenLDAP supports should work (CRYPT, MD5, etc).

    When passwords are changed via the web (you can mark a password as "must change" in the admin console, and the useer must change it at next login) they will get promoted to SSHA.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  6. #6
    Join Date
    Mar 2006
    Location
    L'Aquila, ITALIA
    Posts
    59
    Rep Power
    9

    Default Bug 7691

    Quote Originally Posted by schemers
    I've just fixed this (bug 7691). If the password in OpenLDAP isn't in SSHA format, we'll fallback to binding to our OpenLDAP server as the user trying to login, so all the passwords that OpenLDAP supports should work (CRYPT, MD5, etc).

    When passwords are changed via the web (you can mark a password as "must change" in the admin console, and the useer must change it at next login) they will get promoted to SSHA.
    Ciao Roland,

    Simply I've not understand what to do to import an RH9 /etc/shadow file into zimbra ldap password: using zmprov and viewing the ldap db, it seem tha stored password are an SSHA hash of the CRYPT pwd.
    I'm using the last release build, 3.1.4 June 27, 2006.

    Thanks,
    Claudio

  7. #7
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Quote Originally Posted by claros
    Ciao Roland,

    Simply I've not understand what to do to import an RH9 /etc/shadow file into zimbra ldap password: using zmprov and viewing the ldap db, it seem tha stored password are an SSHA hash of the CRYPT pwd.
    I'm using the last release build, 3.1.4 June 27, 2006.

    Thanks,
    Claudio
    See the 3rd comment. Just copy the text into a zmprov command.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  8. #8
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    Doing what is suggested in comment #3 doesn't work, since the server takes that value as the cleartext password and runs it through SSHA.

    The best option is to create the accounts with "" as the password (it actually gives them no password), and then use ldapmodify to explicitely set the "userPassword" attr to be the crypt'd version.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  9. #9
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    #2 would be great, but zmprov says userPassword is immutable

    its much easier to write single line: ma <email> userPassword <hash>, than write multi line ldapmodify files where you also have to determine the each dn.

    will zmprov ca not accept password hash if prefixed with {crypt} or is there some way of making userPassword, err.., mutable?

    being able to do this is a nice feature, as it means that passwords can be migrated over from many other installs from wide variety of email systems.

  10. #10
    Join Date
    Mar 2007
    Posts
    11
    Rep Power
    8

    Talking shadow password hash into zimbra works

    This seems to work now in my 4.5.3 NE. Copy the hash out of the shadow file and prefix it with '{crypt}'.

    Code:
    zmprov ma user@domain userPassword '{crypt}$1$dblahblahstuff....'

Similar Threads

  1. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 09:30 AM
  2. Opensource backup Question.
    By nfear24 in forum Administrators
    Replies: 3
    Last Post: 03-31-2007, 11:47 PM
  3. Replies: 5
    Last Post: 03-01-2007, 02:20 AM
  4. Traslation SVN tree status
    By meikka in forum I18N/L10N - Translations
    Replies: 7
    Last Post: 02-13-2007, 10:13 AM
  5. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 12:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •