Migrate users from iPlanet or Sun JES or Unix user with keep original user's password

[rungsan]

I want to migrate users from iPlanet or Sun JES or Unix user with keep original user's password. Before that I used to migrate users from Unix to iPlanet and iPlanet to SUN JES with ldapmodify command by enter userPassword attribute like this.
{CRYPT}cmKaxCui509lU
or
{SSHA}5SlPugduRSKLQJGAovO/kPQdiDqtTF08DmZWMQ==

But in Zimbra it not work (both zmprov and ldapmodify). Have any solutions to do it?

[schemers]

I've filed a bug (10409) and will fix this in 4.0.1 or 4.0.2. You'll be able to do the following:

Code:

ca smith@slapshot.liquidsys.com "" userPassword {SSHA}8+r0nkcErptqasSrFPcT0k81NFrbTcAS

Prior to 4.0, your best bet is to use ldapmodify and directly set it.

[dijichi2]

thankyou thankyou thankyou schemers!!!

in the meantime, here's a little cli php hack i wrote for a recent migration. it takes a csv file with each line "email,password", and outputs an ldif file. it assumes your existing password hash doesn't have the crypto prefix so if yours does you might want to strip out the {crypt} bit, and i only had two .tlds - .co.uk and .com - if you have more you'll have to add them or rewrite it properly, sorry for the ugly hack but might help someone here.

PHP Code:

<?php

$lines = file("passwords.csv");

$i=0;
foreach ($lines as $rawline) {
        $line = trim($rawline);
        $fields = split(",",$line);
        $accounts[$i]["email"] = $fields[0];
        $accounts[$i]["password"] = $fields[1];
        $i++;
}

foreach ($accounts as $account) {
        $email1 = split("\.",$account["email"]);
        $email2 = split("@",$email1[0]);
        echo "dn: uid=" .$email2[0] .",ou=people,dc=" .$email2[1];
        if ($email1[1] == "com") echo ",dc=com";
        if ($email1[1] == "co" && $email1[2] == "uk") echo ",dc=co,dc=uk";
        echo "\n";
        echo "changetype:modify\n";
        echo "replace:userpassword\n";
        echo "userpassword:{crypt}" .$account["password"];
        echo "\n\n";
}

?>

[dijichi2]

this looks like its been fixed in 4.0.1. thanks!!

[rungsan]

I was created user and passed in the encoded password but could not loged in.
These are users I created.

user1 userPassword: {SSHA}0oMapnVeZ+6OIpVk59Vuq26G4ZMmsYjt
user2 userPassword: {SSHA}0oMapnVeZ+6OIpVk59Vuq26G4ZMmsYjt
user3 userPassword: {SSHA}Hg7i6kx35cUblu4MEUFGl7iOnXckRqwB+WJCFg==
user4 userPassword: {SSHA}Hg7i6kx35cUblu4MEUFGl7iOnXckRqwB+WJCFg==
user5 userPassword: {CRYPT}wq0wMGe7XU5m

user1 created by zimbra, user2 passed in password from user1, both can loged in.
user3 and user4 passed in password from Sun JES but can't loged in.
user5 passed in password from Solaris password but can't loged in.

How to do it?

[dijichi2]

usnig 4.01 or 4.02? i haven't tested whether the hash passing actually works or not, hopefully it does. using zmprov to do this?

after you've done the import, look at the userPassword attribute once it's in ldap and compare it to the hash you provide to make sure it's going through untouched. also, sure your user3 and user4 passwords are ssha and not sha or md5? if they're md5 i think they need to go in as {crypt}.

[rungsan]

I test on zimbra 4.02 with zmprov command and the userPassword attribute after passing is same with original ldap and it is ssha (in Sun JES LDAP the output of ldapsearch command also show encoded type). I think this case is importance for migrating from exiting system.

[phoenix]

Did you check in bugzilla for bug 10409, you should find what you need there. It helps to check the bug reports that have been raised for a problem.