[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenSSL version of crypt() being used where local glibc version is desired (ITS#2013)



Full_Name: Diego Rivera
Version: 2.1.3
OS: Mandrake Linux 8.2
URL: ftp://ftp.openldap.org/incoming/openldap-2.1.3-crypt-first.patch
Submission from: (NULL) (196.40.43.218)


This issue affects OpenLDAP 2.1.3

Migrating passwords from /etc/shadow into OpenLDAP for LDAP-based authentication
(with pam_ldap and nss_ldap from padl.com)
doesn't work because OpenLDAP cannot rehash passwords using the "$1$%.8s" and
"$1$%.8s$" salt format(s) (for crypt_md5) for
comparison during authentication.  While this affects Linux Mandrake and RedHat
distros (AFAIK), it could also affect other
distributions.

The problem is that OpenLDAP links against -lcrypto from OpenSSL before linking
against -lcrypt from glibc, and thus the
crypt() function used is from OpenSSL, which does NOT support these salt formats
(as of 0.9.6e).

This can be fixed with a small patch that changes top.mk, configure and
configure.in, and is fully effective.

Applying the referenced patch allows crypt() from glibc to be used, which is the
one used to hash these passwords in the
first place.  Also, crypt() from glibc is used only if it's available and
configured to be used (i.e., --enable-crypt-first
and --enable-crypt are used when invoking configure).   You may use crypt
(--enable-crypt) but may also choose not to link
against -lcrypt before -lcrypto (--disable-crypt-first).  Also,
--enable-crypt-first has no effect if --disable-crypt is used,
or if crypt is not present.

The default behavior of configure is to NOT link against -lcrypt before
-lcrypto.  This should be consistent with existing
deployments.