This content has been marked as final. Show 5 replies
the content of the userpassword attribute is populated by the Directory Server when this attribute is created or modified, so if you changed the password storage scheme just before shutting down the Directory Server instance, then the content of all userpassword attributes should still be the same.
So if I change the pwd storage scheme, stop the DS instance, export the DB, and re-import to the new instance, I would expect that the userpassword attribute should still keep the same 'encryption mode'.
It would be interesting to understand which is the exact chronology of the operations... would you mind doing a quick 'recap' of the operations done on both the servers?
Thank you for taking the time to answer.
i didn't make change on my production server, i just do an hot export :
./dsconf export -h 127.0.0.1 'dc=osiris,dc=com' export.ldif
Then i create the same instance on my new server (osiris)
Then i create my sufixe dc=osiris,dc=com'
Then i copie the 99user.ldif file from my old server to the new sever
Then i shutdown the instance and restart it
Then i change the password storage to CLEAR for being in same configuration than the production server :
./dsconf set-server-prop pwd-storage-scheme:CLEAR
I shutdown the instance again and restart it
Then i do an import of the export.ldif :
./dsconf import -p 389 -e /opt/dsee7/resources/ldif/export.ldif dc=osiris,dc=com
Is it the correct chronology of opération or i miss something ??
Thanks again for your help
sorry for this late reply...
as far as I understand, you would like to use the export/import mechanism to turn in clear all the passwords, is that correct?
Unfortunately I'm afraid that what you're asking is not possible...
If the userPassword attribute is "encrypted" in the original Directory Server instance database, then regardless of what you set in the 'encryption-scheme', in the export.ldif file you will still have the attribute encrypted.
The same thing happens when you try to import from an ldif file: regardless of what you have set in the 'encryption-scheme' in the Directory Server, if the attribute in the ldif file is 'encrypted', it will stay 'encrypted' also in the database.
The only way to have the userPassword attribute in clear is change the encryption-scheme and update the userPassword field of every entry.