On Thu, 22 Mar 2001, Wil Cooley wrote:
> Thus spake Paulo Matos:
>
> > I understand what you say, but I think you're getting out of the
> > issue. Why does it works fine if I remove ACL from slapd.conf on openldap?
>
> The problem is that pam_ldap, after you've bound anonymously and figured
> out which DN to use, attempts to re-bind with the DN it found from the
> anonymous bind, and uses the password given. slapd uses crypt() for
> '{crypt}' passwords. If the password uses the MD5 BSD extension, the
> crypt() needs to understand it. If you get the OpenSSL 0.9.5a crypt(),
> it doesn't, if you get the system crypt() (or possibly the one from
> OpenSSL 0.9.6), it does. When you remove the ACL, the user can get at
> userPassword anonymously, and doesn't need to re-bind.
So, we may that even if user password was wrong he would still be
able to log in? Or pam_ldap after bind anonymously, fetch the md5
passwd and compare them (I didn't see that code in pam_ldap).
--
Paulo Matos
----------------------------------- ----------------------------------
|Sys & Net Admin | Serviço de Informática |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2941346 |
|Universidade Nova de Lisboa | Fax: +351-21-2948548 |
|P-2825-114 Caparica | e-Mail: pjsm@fct.unl.pt |
----------------------------------- ----------------------------------
