still trying passwd change with pam_ldap

[jehan.procaccia@int-evry.fr]

I am still trying to use /usr/bin/passwd to change ldap userPassword
attribute.

I use openldap 2.0.7 and pam_ldap-98 

Using "pam_password crypt" in pam_ldap /etc/ldap.conf works right :-)

howerver using "pam_password md5" is half-way working ! :-(

By half-way, I mean that I can change the password, then logout, telnet
again and beeing authentificated with the new password just changed.
However if I try to change it again with /usr/bin/passwd I am not
authentificated !? :

$ passwd
Enter login(LDAP) password: 
LDAP Password incorrect: try again

/var/log/messages says:

Jan 12 14:18:20 gigatux passwd[32579]: pam_ldap: error trying to bind as
user
"uid=test,ou=administratif,ou=personnel,ou=personnes,dc=int-evry,dc=fr"
(Invalid credentials)

I can only change back the password using ldappasswd (so bypassing
pam_ldap)

having "password-hash {md5}" in slapd.conf it result in something like
this in ldap directory with ldap graphic browser GQ:

userPassword {MD5}ffeKtngHiDAvJfmQoh4hJA==

ldapsearch retunrs:

userPassword:: e01ENX1mZmVLdG5nSGlEQXZKZm1Rb2g0aEpBPT0=

now when I change it again with /usr/bin/passwd (because now I am
authentificated) I have:

userPassword {crypt}$1$SfBKaZk0$kmBakMUGlcoym6BKSg6Lf1

ldapseach returns:

userPassword:: e2NyeXB0fSQxJFNmQkthWmswJGttQmFrTVVHbGNveW02QktTZzZMZjE=

but again if I want to change it with /usr/bin/passwd I return to the
problem described above (invalid credential !), it looks like pam_ldap
/usr/bin/passwd cannot compare with an entry looking like this:
{crypt}$1$SfBKaZk0$kmBakMUGlcoym6BKSg6Lf1
Howerver I can't still logout and login again with that new password !.
So login works (auth type module I gess), but passwd doesn't (auth type
module again ?). 


/etc/ldap.conf: 
pam_password md5

/etc/pam.d/passwd:
#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so md5
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_warn.so
password   required     /lib/security/pam_cracklib.so retry=3
type=LDAP/UNIX debug
password   sufficient   /lib/security/pam_ldap.so use_authtok
password   required     /lib/security/pam_pwdb.so try_first_pass md5

/etc/pam.d/login

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient    /lib/security/pam_unix_auth.so shadow audit
auth       required     /lib/security/pam_ldap.so  use_first_pass debug
account  required       /lib/security/pam_time.so
account    required     /lib/security/pam_unix_acct.so
account    sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_cracklib.so
password   sufficient    /lib/security/pam_unix_auth.so shadow md5
use_authtok audit
password   required     /lib/security/pam_ldap.so use_first_pass debug
session    sufficient   /lib/security/pam_unix_session.so
session    required     /lib/security/pam_ldap.so debug
session    optional     /lib/security/pam_console.so

I am getting mad about this. Has anyone succeed using md5 pam_ldap
userPassword change ?
Where is the problem: pam.d/passwd, ldap.conf ?
How comes for the same password and same scheme (md5) I get so different
strings depending on the tools I use to change/show it

ldappasswd: 	{MD5}ffeKtngHiDAvJfmQoh4hJA==
ldapsearch: 	e01ENX1mZmVLdG5nSGlEQXZKZm1Rb2g0aEpBPT0=
pam_ldap passwd: {crypt}$1$SfBKaZk0$kmBakMUGlcoym6BKSg6Lf1
ldapsearch: 	e2NyeXB0fSQxJFNmQkthWmswJGttQmFrTVVHbGNveW02QktTZzZMZjE=

Thanks.
-- 
Jehan Procaccia
Institut National des Telecommunications| Email :
Jehan.Procaccia@int-evry.fr 
9 rue Charles Fourier			| Tel   : +33 (0) 160764436 
91011 Evry   France			| Fax   : +33 (0) 160764321