[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: md5 password problem! pam_ldap or openldap problem?



On Wed, 21 Mar 2001, Wil Cooley wrote:

wcoole> Thus spake Paulo Matos:
wcoole> ...
wcoole> > 	Does anyone have a similar problem? How can an ACL on slapd.conf
wcoole> > cause such behavior?! It does not make any sense...
wcoole> >
wcoole> > 	How exactly is done the password verification?!

	Can someone explain me this, please!

	Although I examined the code of pam_ldap I see no use of crypt(3)
for authentication purposes, only when generating a new password, so I
concluded passwd matching is done on ldap server.

	So why I get authenticated when I remove the ACL?

wcoole> > 	Is this a problem from pam_ldap or openssl?
wcoole>
wcoole> I believe the problem you are seeing is the same I ran into a few weeks ago.
wcoole> The problem is that the crypt() function from OpenSSL doesn't support the MD5
wcoole> extension.  See my posts here for more information:
wcoole>
wcoole> http://www.openldap.org/lists/openldap-software/200103/msg00114.html
wcoole>
wcoole> Note that the solution of re-ordering libraries doesn't seem to have
wcoole> worked consistently; probably the best is to have users change their
wcoole> passwords.

	So I have no solution to use md5 hashed passwords, unless I change
the ACL! In this case is the client side who does password matching?

-- 
	Paulo Matos
 ----------------------------------- ----------------------------------
|Sys & Net Admin                    | Serviço de Informática           |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2941346             |
|Universidade Nova de Lisboa        | Fax: +351-21-2948548             |
|P-2825-114 Caparica                | e-Mail: pjsm@fct.unl.pt          |
 ----------------------------------- ----------------------------------