Re: [ldap-nis] Re: md5 password problem! pam_ldap or openldap problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thus spake Paulo Matos:
> On Thu, 22 Mar 2001, Joe Little wrote:
> 
> > between md5-digest and md5-cram (is that right?) there is enough
> > discrepancies on what hash algoritm is supported by the different OSes,
> > that I tend to steer clear of of using MD5. Rather, use crypt and SSL
> > streams or sha5 and ssl. Its a preference and not necessarily a
> > justifiable position, but it does solve a lot of issues I ran into.
> 
> 	I understand what you say, but I think you're getting out of the
> issue. Why does it works fine if I remove ACL from slapd.conf on openldap?

The problem is that pam_ldap, after you've bound anonymously and figured
out which DN to use, attempts to re-bind with the DN it found from the
anonymous bind, and uses the password given.  slapd uses crypt() for
'{crypt}' passwords.  If the password uses the MD5 BSD extension, the
crypt() needs to understand it.  If you get the OpenSSL 0.9.5a crypt(),
it doesn't, if you get the system crypt() (or possibly the one from
OpenSSL 0.9.6), it does.  When you remove the ACL, the user can get at
userPassword anonymously, and doesn't need to re-bind.

Wil
-- 
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

The penalty for laughing in a courtroom is six months in jail; if it
were not for this penalty, the jury would never hear the evidence.
		-- H. L. Mencken

Attachment: pgp00008.pgp
Description: PGP signature


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux