migration from cyrus with encrypted password?

[schose]

Hello forum,

I want to migrate my users from cyrus to ZCS. The useraccount's are stored with as md5 in the mysql (pam_mysql).
I found a small article how to implement the migration with a 3rd authentication store with imapsync on
User Migration - Zimbra :: Wiki. IMHO there i have to set new account passwords for my users.

Do anyone see a possibity how to move the users without resetting the useraccount passwords?!

Thanks for you help in advance!

Andreas

[anteos]

Here you can find some useful info: [SOLVED] Massive migration using imapsync, don't know users passwords

You can create a Cyrus account and add it to the admins section of imapd.conf, then you can use that account as authuser1 in imapsync for all the accounts to migrate

You have to use AUTH=PLAIN and so imaps

[schose]

Thanks anteos for your idears! If this is working, it would mean, that id don't need the passwords for the useraccounts at source cyrus server.

I wonder if it is possible not to change the passwords for the user. So this is a little bit off-topic - the main question is how to migrate the md5 passwords from mysql into the openldap of zimbra.

[Rich Graves]

"md5" could mean different things. If they look like $1$f98sahyp98fhsaf98hwa then you have something that could be shoved directly into zimbra's openldap with syntax userPassword: {CRYPT}$1$f98sahyp98fhsaf98hwa. Or if you're lucky then you might be able to use the {MD5} scheme.

Worst case, you have the source, and you have a place to inject PAM modules. Even if you're not a programmer, you can abuse pam_script to temporarily grab you user passwords and feed them to slappasswd or zmprov setPassword.

[anteos]

Maybe these could help:

Migrating accounts/users from passwd/shadow file?

Import from OpenLDAP

[schose]

ok, i think i've got it. Sorry for some wrong information, but i rechecked an noticed that the passwords are not md5, but crypt.

So i taked the crypted passwords and insert them via ldap browser into the user attribute in zcs openldap. this works for me - now i only have to sync the passwords via script - but this should be no problem!

i recognized that i have to "zmcontrol stop && zmcontrol start" after changeing the user attribute. is there a shorter way?!

Again, thanks for your great support!

Andreas

[Rich Graves]

I'm surprised. Even if Zimbra's mailboxd and/or saslauthd caches password hashes, I'd expect it to double-check LDAP directly on failure.

You can run ~zimbra/bin/ldap or ~zimbra/bin/zmmailboxdctl to restart just those services without also restarting the MTA (postfix/clamav/amavisd), but since mailboxd takes the longest, this wouldn't be a very big win.

[dkarp]

i recognized that i have to "zmcontrol stop && zmcontrol start" after changeing the user attribute. is there a shorter way?!

If you wait 15 minutes, the cache will time out and Zimbra will fetch the correct hashed password from LDAP.