How to add already encrypted password to openldap

I need to migrate legacy directory-like Mysql data to a new ldap database. Not much hassle except for the passwords. They are stored as sha1 in the Mysql database (I checked I can generate them by typing "echo -n "cleartextpassword" | openssl dgst -sha1").

The problem is I fail to import them in our openldap server.

I'm afraid there might be 2 problems here.

First an encryption / encoding problem: is this sha1 encoding usable as such in ldap at all?

An interface problem: when I use ldapadd or ldapmodify to enter/update the userPassword field, the data provided in the ldif file is re-encrypted. Is it possible to somehow bypass this problem ?

Thanks in advance

Solution 1:

I finally got it, after a lot of trials.

The sha1 strings I have are so-called hex-digest. To get them into openldap, I first need to convert them back to binary sha1 digest and then base64 encode them.

On the command line one could do that with:

echo -n "sha1-hex-digest" | xxd -r -p | openssl enc -base64

Then the resulting string should be inserted in the ldif file this way:

userPassword: {SHA}base-64-blurb

For those interested, this could be done in Python this way:

import base64
import binascii

sha1_pwd = "your-sha1-hex-digest-here"
ldap_pwd = base64.b64encode(binascii.unhexlify(sha1_pwd)).decode('utf-8')
print("userPassword: {SHA}%s" % ldap_pwd)