Thus spake Paulo Matos: > On Thu, 22 Mar 2001, Joe Little wrote: > > > between md5-digest and md5-cram (is that right?) there is enough > > discrepancies on what hash algoritm is supported by the different OSes, > > that I tend to steer clear of of using MD5. Rather, use crypt and SSL > > streams or sha5 and ssl. Its a preference and not necessarily a > > justifiable position, but it does solve a lot of issues I ran into. > > I understand what you say, but I think you're getting out of the > issue. Why does it works fine if I remove ACL from slapd.conf on openldap? The problem is that pam_ldap, after you've bound anonymously and figured out which DN to use, attempts to re-bind with the DN it found from the anonymous bind, and uses the password given. slapd uses crypt() for '{crypt}' passwords. If the password uses the MD5 BSD extension, the crypt() needs to understand it. If you get the OpenSSL 0.9.5a crypt(), it doesn't, if you get the system crypt() (or possibly the one from OpenSSL 0.9.6), it does. When you remove the ACL, the user can get at userPassword anonymously, and doesn't need to re-bind. Wil -- W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc LNXS: Linux/GNU for servers, networks, and http://lnxs.org people who take care of them. *Now with integrated crypto!* irc.openprojects.net #lnxs The penalty for laughing in a courtroom is six months in jail; if it were not for this penalty, the jury would never hear the evidence. -- H. L. Mencken
Attachment:
pgpQBeEMOmkD2.pgp
Description: PGP signature