[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password exop and encrypted passwords



This may not be directly related to exop, but I have had to do some password
behavior debugging recently and this may help.

RedHat 7.1
OpenLDAP 2.0.7

I've been using my directory for account management across several linux
machines and all was working well. I had finally gotten passwd to actually
change the users password in their directory entry and tested the new
password by logging into other machines on my net. Everything worked fine.

Then people started screaming that they could no longer pickup email (via
pop, qpopper in this case). I noticed that this was true of any account that
used passwd to change their password, others that had not were working fine.

Turns out that the act of changing the password via passwd was storing the
value in userPassword as Base64 encoded text (pretty sure), whereas the
unchanged passwords were stored in crypt format (these entries were
originally made via the perl account migration tools). So, via ldapbrowser,
I entered a new value for userPassword and noticed that it stored the value
is SHA format. Qpopper was still not happy with these passwords.

I searched this list and found a reference to putting a "password-hash
{CRYPT}" entry in slapd.conf. This fixed the SHA problem when entering data
via ldapbrowser (an excellent tool IMO), but not the passwd problem.

In any case, ldapsearch appears to return the Base64 encoded value for the
userPassword attribute, as other people on the list have confirmed.

As for passwd, has any body gotten it to modify passwords in a directory
using a specific hash algorithm?