[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: unable to bind using encrypted password (ITS#324)
Likely a something worthy of a FAQ answer...
Forward to ITS for tracking purposes, will close at submitters request.
Heath S Hendrickson wrote:
>
> I figured out my problem. It's related to the schema. I copied
> Netscape's schema files from DS 4.1 over, modified them so openLDAP
> would read them in, and went from there.
>
> Turns out that the ldbm library has a check that looks at the SYNTAX
> of the attribute (regardless of what's stored in it). If it's binary
> (as the defalut Netscape userPassword attribute is), then it uses
> a completely different password verfificate routine. I knew that the
> lutil library was working correctly because my rootDN passowrd is
> in crypt format.
Historically, userPassword has been of type ces in U-Mich/OpenLDAP
despite the userPasswordSyntax (encoded as octetStringSyntax) as
indicated by X.520. This was likely done to allow use of a wider
variety of search filters. It is arguable that the syntax should
be 'bin', however I hesitate changing it (nor the behavior of the
backends) in 1.x.
> I checked my schema, and sure enough userPassword was bin. I changed
> it to ces, and all seems to be working correctly now.
>
> I can't say if this is the problem with the others or not, but it
> sure made a difference to me.
>
> Can you maybe explain why you rely on the SYNTAX instead of checking
> the value itself to determine if it's binary?
All values are binary...
> Does the ldbm backend actually store the values differently?
No.
> Anyway, you can close out my ITS (I can't seem to figure out how to
> get into the system as anything other than guest...so I couldn't reply
> via the ITS to the other problems).
>
> thanks,
> heath
>
> On Fri, Oct 15, 1999 at 10:20:31AM -0700, Kurt D. Zeilenga wrote:
> > First thing to do is to determine what's actually is broken.
> > ldappasswd
> > slapd
> > client
> > lutil library
> > getpass(3)
> >
> > (or combination there of).
> >
> > Eliminating getpass(3) is easy. Don't use prompting to specify
> > passwords to ldappasswd or any client. This eliminates the one
> > client issue.
> >
> > Eliminating ldappasswd is easy. Use a different tool to generate
> > the hashed passwords. (like the unix passwd(1) command to generate
> > crypt passwords (just prepend {crypt} to the passwd(5) password
> > string) and/or a small script to generate sha1/md5 hashes).
> >
> > This document provides perl code for {SHA} and {SSHA} passwords.
> > Could easily be modified to support other hashs.
> > http://developer.netscape.com:80/docs/technote/ldap/pass_sha.html
> >
> > There was also examples codes posted to openldap-general recently
> > in Python and PHP3...
> >
> > I suggest testing rootpw first. If this works, than userPassword
> > should work (they share the same password verification code).
> >
> > Also, note, I assume EVERYONE having these problems is running 1.2.x.
> > (preferrably 1.2.7 or OPENLDAP_REL_ENG_1_2). If you are running
> > another version, the problem could be related
> > to other factors. (such as ACLs under 2.0-devel/alpha).
> >
> > Also, I assume everyone is running with supplied schema. If you
> > changed the syntax of userPassword you will have problems.
> >
> > Kurt
> >
> > ----
> > Kurt D. Zeilenga <kurt@boolean.net>
> > Net Boolean Incorporated <http://www.boolean.net/>
>
> --
> ________________________________________________________________________
> | Heath S. Hendrickson | hendrickson@mediaone.net |
> | Full Time Engineer | heath@hml.com |
> | Part Time Webmaster | |
> ------------------------------------------------------------------------
--
Kurt D. Zeilenga <kurt@boolean.net>
Net Boolean Incorporated <http://www.boolean.net/>