Thus spake Wil Cooley: > Users with simple crypt passwords ('{crypt}crypthash') can login > fine to workstations, as can users with {md5} and {SSHA} passwords. > However, users in crypt MD5 passwords ('{crypt}$1$md5hash') cannot; > their connections fail with 'Invalid credentials'. The PAM config files > in /etc/pam.d have 'md5' in the pam_unix lines on the workstation, > and the closed LDAP servers also have md5 in their pam_pwdb lines. > I'm assuming that somehow the lack of a local login is causing the > users to be rejects? Even though slapd is linked with libpam, I > can't actually figure out which pam service it identifies itself as, > running lsof and strace revealed nothing. Okay, I think I've figured out what's happening, but not a good solution--it involves a) Re-linking OpenLDAP and changing the link order so the glibc system crypt() is linked before the OpenSSL crypt. (Will this work reliably?) b) Rebuilding OpenSSL to exclude it's crypt, with a patch probably attainable from Howard Chu <hyc@highlandsun.com>. c) Having my users change their passwords to use RFC2307-style passwords. At this point, /c/ sounds like the easiest, unless someone can present me with a patch to do /a/ or assure that it will be reliable. For reference for other people facing this problem, this user in this message suffers the same problem: http://www.openldap.org/lists/openldap-software/200102/msg00558.html This user does too, but it wasn't as immediately obvious to me, although Kurt and Howard offered tenative solutions: http://www.openldap.org/lists/openldap-software/200101/msg00241.html I suspect more people will have this problem; I'm looking in the issue tracking database, and will open a ticket if I can't find one. Wil -- W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc LNXS: Linux/GNU for servers, networks, and http://lnxs.org people who take care of them. *Now with integrated crypto!* irc.openprojects.net #lnxs Men have a much better time of it than women; for one thing they marry later; for another thing they die earlier. -- H.L. Mencken
Attachment:
pgptcePTIhEYp.pgp
Description: PGP signature