Is there a way to migrate an existing matrix-synapse user database to OpenLDAP?

matrix migration openldap

I am looking for a way to migrate a huge Synapse home server database to OpenLDAP without resetting the users' passwords. Migration to LDAP is necessary as we would like to integrate all our online services into each other

Therefore, I am looking for a way to make OpenLDAP understand Synapse's password hashes.

Synapses hashing algorithm is explained here:

pw = unicodedata.normalize("NFKC", password)

hashed = bcrypt.hashpw(
    pw.encode('utf8') + password_pepper.encode("utf8"),
    bcrypt.gensalt(bcrypt_rounds),
).decode('ascii')

Is it possible to implement such a hashing on OpenLDAP or any other open source LDAP server?


Solution 1:

If bcrypt is a valid algorithm for the underlying system it should work as part of OpenLDAP's CRYPT password storage scheme.

If for instance your existing password hashes look like $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy you should be able to set the userPassword attribute OpenLDAP to {CRYPT}$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy and then authenticate.
(If you're doing this on the commandline make sure that the $text isn't interpreted as a shell variable before being input into the database.)

Related

What if I don't have [::] in my nginx config file? [duplicate]
/var/www/html/login" failed (13: Permission denied)
Two external IPs on Google Cloud VM
Best way to lock out a group once per week [duplicate]
nftables dnat forwarding is not working properly [closed]
Need confirmation on how iSCSI RAID storage works
Virtual iSCSI linux -- share as ISCSI ExFat, but have it go to XFS?
Clone disk with multiple partitions using dd
Why GCP overrides my /etc/resolv.conf file and how to avoid it?
How can i access my ip:my port [closed]
How to tag IPv4 and IPv6 packets with different VLAN tags on a Linux box?
Forcing server as idle as possible (all OSes, but possibly illumos too)