5 Replies Latest reply on May 6, 2013 9:21 AM by Bobm53-Oracle

    ldif import change the userPassword attribute

      Hi all,

      I post a message here because i am facing an obstacle.
      I made an migration from Sun directory server 6 on sun sparc server to an linux server with directory server 7.

      I have got an issue about the ldif import.

      When i export ldap data from my old server, i have got ldif-export.ldif file and when i import it i have no error :

      Started initialization of "xxx.xxx.xxx.xxx:389"; Apr 29, 2013 10:14:12 AM
      Sent 1314 entries...
      Sent 3794 entries...
      Sent 3795 entries.
      Completed initialization of "xxx.xxx.xxx.xxx:389"; Apr 29, 2013 10:14:16 AM

      But when i do an ldap search i can see that my new dsee server does not contain the same password than my old server for the users password attribute .
      and this in spite of the ldif-export file contain exacly the same password than the old server in production.
      I think when i do an import the new server change the pasword or something like this.

      for example on my old server my user teo

      userPassword:: teo
      cn: neo
      uid: neo
      objectClass: top
      objectClass: neoDevice1

      and on my new server i have got :

      userPassword:: bmVv
      cn: neo
      uid: neo
      objectClass: top
      objectClass: neoDevice1

      i took the precaution to change the server propertie with this command to be sure to respect the same config than the old server

      ./dsconf set-server-prop pwd-storage-scheme:CLEAR

      I can't find where the issue is or what propertie to change for fix it.

      Otherwise there is no other problem in my ldif import all seems to be correct except userPassword attibute.

      Thanks for your help
        • 1. Re: ldif import change the userPassword attribute
          Marco Milo-Oracle
          the content of the userpassword attribute is populated by the Directory Server when this attribute is created or modified, so if you changed the password storage scheme just before shutting down the Directory Server instance, then the content of all userpassword attributes should still be the same.

          So if I change the pwd storage scheme, stop the DS instance, export the DB, and re-import to the new instance, I would expect that the userpassword attribute should still keep the same 'encryption mode'.

          It would be interesting to understand which is the exact chronology of the operations... would you mind doing a quick 'recap' of the operations done on both the servers?

          • 2. Re: ldif import change the userPassword attribute
            Hi Marco,

            Thank you for taking the time to answer.

            i didn't make change on my production server, i just do an hot export :

            ./dsconf export -h 'dc=osiris,dc=com' export.ldif

            Then i create the same instance on my new server (osiris)
            Then i create my sufixe dc=osiris,dc=com'
            Then i copie the 99user.ldif file from my old server to the new sever
            Then i shutdown the instance and restart it
            Then i change the password storage to CLEAR for being in same configuration than the production server :
            ./dsconf set-server-prop pwd-storage-scheme:CLEAR
            I shutdown the instance again and restart it
            Then i do an import of the export.ldif :
            ./dsconf import -p 389 -e /opt/dsee7/resources/ldif/export.ldif dc=osiris,dc=com

            Is it the correct chronology of opération or i miss something ??

            Thanks again for your help
            • 3. Re: ldif import change the userPassword attribute

              if i do an ldapmodify with the same clear text password than the production server,
              my new ldap seems to encrypt it.

              i don't find the solution, i just want to import my ldif file witch contain cleartext password in my new ldap always without encryption
              • 4. Re: ldif import change the userPassword attribute
                Marco Milo-Oracle
                sorry for this late reply...

                as far as I understand, you would like to use the export/import mechanism to turn in clear all the passwords, is that correct?

                Unfortunately I'm afraid that what you're asking is not possible...

                If the userPassword attribute is "encrypted" in the original Directory Server instance database, then regardless of what you set in the 'encryption-scheme', in the export.ldif file you will still have the attribute encrypted.

                The same thing happens when you try to import from an ldif file: regardless of what you have set in the 'encryption-scheme' in the Directory Server, if the attribute in the ldif file is 'encrypted', it will stay 'encrypted' also in the database.

                The only way to have the userPassword attribute in clear is change the encryption-scheme and update the userPassword field of every entry.

                • 5. Re: ldif import change the userPassword attribute
                  if you are confident that a password in the ldif import file is in cleartext, you could modify that line in the following way before importing it:
                  userPassword: {CLEAR} <cleartext-password>
                  This assures <cleartext-password> is imported as you want.