Current releases of OpenSSL (up to 0.9.6e at the time of this writing) include a crypt(3) function in the OpenSSL crypto library. This function implements the traditional 56-bit DES crypt() password algorithm. On most Unix systems, the OpenSSL version of crypt(3) is not needed since crypt(3) is usually a standard part of the Unix C libraries.
Newer Unix systems also support other password hash algorithms including MD5 and DES-based hashing with longer than 8 significant password characters. On these platforms, the OpenSSL crypt(3) function should not be used because it will not support these newer hash algorithms, and so it will be incompatible with the hashes generated by the platform's native tools.
Unfortunately the OpenSSL crypt(3) function is compiled by default when OpenSSL is built, even though it is not needed (and frequently not useful) on most Unix platforms. Furthermore, when OpenLDAP is built with OpenSSL, the OpenSSL libraries will be linked before the native system's C libraries, so the native version will not be used. This situation causes lots of problems when trying to use the natively generated password hashes with OpenLDAP.
The solution is to rebuild the OpenSSL crypto library, with the crypt(3) function commented out or otherwise disabled. This function is in crypto/des/fcrypt.c in the OpenSSL source. After it is removed and the crypto library is rebuilt, OpenLDAP will be able to use the OpenSSL library without any further problems. If you're using dynamic/shared libraries, simply reinstalling libcrypto will be enough to fix the problems. Otherwise you'll need to relink the OpenLDAP binaries to get the correct behavior.
|