LDAP passwordPolicyRequest failes with MD5 password hashing‏

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



PAM gurus,
 
I am seeing some strange issues when I attempt to use MD5 password hashing from my Red Hat Linux servers.  I am running OpenLDAP client (openldap-clients.2.3.43-3) with PAM (pam-0.99.6.2-6) on RHel5, and using the ppolicy overlay in the OpenLDAP server.  
 
I have the following:
 
In /etc/ldap.conf:
pam_password md5
pam_lookup_policy yes
 
 
In /etc/pam.d/system-auth:
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 type=LDAP
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
 
(Note: I've tried added the 'md5' to the pam_ldap.so line as well, no help).
 
 
Here's the problem:
 
With this configuration, I NEVER see the client send the passwordPolicyRequest Request Control message (controlType 1.3.6.1.4.1.42.2.27.8.5.1) in any LDAP request, thus the LDAP server never returns the password status (expired, etc.).  I've also noticed that the password in LDAP shows something like "{crypt}Fe9RyjhrMaom.".  So, as far as the users are concerned, their passwords never expire.
 
 
IF I change to use 'crypt' (or clear-text) instead of MD5, I see the Request Control in the LDAP bind from the Linux LDAP client, and password expiry notification works fine.
 
OR, IF I change the password in LDAP manually to MD5 (using ldapadmin tool), where it shows something like "{MD5}rFyeI1Li1xieh1hj2lRvRw==", the Request Control is sent from the client.
 
Any ideas?  Is this a known bug?
 
Thanks,
Joe
 		 	   		  
_________________________________________________________________
Windows 7: I wanted more reliable, now it's more reliable. Wow!
http://microsoft.com/windows/windows-7/default-ga.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:102009

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux