Fwd: crypt MD5 passwords: invalid credentials

[Wil Cooley <wcooley@nakedape.cc>]

I sent this first to the pamldap list, but it occurred to me shortly
afterwards that this is really an OpenLDAP issue.

Wil
-- 
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
		-- H.L. Mencken

--- Begin Message ---

• To: pamldap@padl.com
• Subject: crypt MD5 passwords: invalid credentials
• From: Wil Cooley <wcooley@nakedape.cc>
• Date: Thu, 8 Mar 2001 11:50:13 -0800
• Content-disposition: inline
• Mail-followup-to: Wil Cooley <wcooley@nakedape.cc>, pamldap@padl.com
• User-agent: Mutt/1.2.5i

I've having a problem with my setup, and I'm hoping someone can provide
some insight.

My 2 main LDAP servers are running on a variation on Red Hat 6.2
called Immunix.  They've been upgraded to OpenLDAP 2.0.7, with all the
necessary libraries.  This is a restricted-login system, so I'm not using
nss/pam LDAP on that system.  I'm not using anything fancy like Kerberos.
My workstations are using Immunix 7, which is also a variation on RH 7.
I have a temporary slave that's still running OpenLDAP 1.2 (well,
replication doesn't work right for obvious reasons, but I need it until
I can resolve this problem).

Users with simple crypt passwords ('{crypt}crypthash') can login
fine to workstations, as can users with {md5} and {SSHA} passwords.
However, users in crypt MD5 passwords ('{crypt}$1$md5hash') cannot;
their connections fail with 'Invalid credentials'.  The PAM config files
in /etc/pam.d have 'md5' in the pam_unix lines on the workstation, and the closed
LDAP servers also have md5 in their pam_pwdb lines.  I'm assuming that somehow
the lack of a local login is causing the users to be rejects?  Even though slapd
is linked with libpam, I can't actually figure out which pam service it
identifies itself as, running lsof and strace revealed nothing.

Aside from having all my users with crypt MD5 passwords change their
passwords, is there a way I can get this to work?  Does anyone have
any insight?

Wil
-- 
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
		-- H.L. Mencken

Attachment: pgpFyprDmefkS.pgp
Description: PGP signature

--- End Message ---

Attachment: pgpHOxlLxdfO2.pgp
Description: PGP signature