You are correct to use the {CRYPT} prefix, the {MD5} prefix uses a different algorithm than unix crypt(3) with MD5 passwords.
See this thread in the Faq-O-Matic for algorithm info.
http://www.openldap.org/faq/data/cache/419.html
Short answer: if a password starts with $1$, it was hashed by crypt(3).
If you are using the password modify extended operation, read the slapd.conf man page, as you probably want to use something like:
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
to have slapd crypt(3) the users password with the correct salt.
If a passwd starts with $apr1$, it was generated by apache's htpasswd util, which uses a different, incompatible, MD5 algorithm. Kurt, would it make sense to add a new password handler to handle {apache} passwords? I know I might have found them useful at one point. I'd be willing to do the work. I'm sure the work done for that could be extended into any work done for RFC3112 (authPassword) work. BTW, anyone working on that?
-----Original Message-----
From: Jatin Nansi [mailto:jatin.nansi@timesgroup.com]
Sent: Thursday, November 08, 2001 6:18 AM
To: openldap-software@OpenLDAP.org
Subject: Using MD5 passwords with LDAP
The problem is that the user gets Invalid Credentials message
whenver i try connecting as the user. if i change to passwd to
using {crypt} create new passwd, then user authenticates.
but not using {MD5} and the md5 crypted passwd.