Re: [ldap-nis] Re: md5 password problem! pam_ldap or openldap problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 22 Mar 2001, Wil Cooley wrote:

> Thus spake Paulo Matos:
>
> > 	I understand what you say, but I think you're getting out of the
> > issue. Why does it works fine if I remove ACL from slapd.conf on openldap?
>
> The problem is that pam_ldap, after you've bound anonymously and figured
> out which DN to use, attempts to re-bind with the DN it found from the
> anonymous bind, and uses the password given.  slapd uses crypt() for
> '{crypt}' passwords.  If the password uses the MD5 BSD extension, the
> crypt() needs to understand it.  If you get the OpenSSL 0.9.5a crypt(),
> it doesn't, if you get the system crypt() (or possibly the one from
> OpenSSL 0.9.6), it does.  When you remove the ACL, the user can get at
> userPassword anonymously, and doesn't need to re-bind.

	So, we may that even if user password was wrong he would still be
able to log in? Or  pam_ldap after bind anonymously, fetch the md5
passwd and compare them (I didn't see that code in pam_ldap).

-- 
	Paulo Matos
 ----------------------------------- ----------------------------------
|Sys & Net Admin                    | Serviço de Informática           |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2941346             |
|Universidade Nova de Lisboa        | Fax: +351-21-2948548             |
|P-2825-114 Caparica                | e-Mail: pjsm@fct.unl.pt          |
 ----------------------------------- ----------------------------------





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux