[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Using MD5 passwords with LDAP (no progress)
Jeff,
Thanks for this reply.
I tried using the passwd with both {CRYPT} and {MD5}
and it does not work.
Another thing to note is that when i use ldapsearch with the rootdn
i get a totally whacky userPassword field. it looks nothing like the
real hashed passwd.
so if the hashed passwd looks like:
{crypt}$1$IUVFU.Gl$EAxiELOKANSaTYac6q59W0
the ldapsearch passwd looks like this:
userPassword:: e2NyeXB0fSQxJElVVkZVLkdsJEVBeGlFTE9LQU5TYVRZcGo2cTU5VzA=
(note the 2 colons)
and the really mad thing is that gq still manages to show the same passwd
correctly, ie:
{crypt}$1$IUVFU.Gl$EAxiELOKANSaTYac6q59W0
and ofcourse the authentication doesnot work.
so now i am totally lost of the going ons here.
my slapd.conf (if it helps):
----------------------------------------------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/redhat/rfc822-MailMember.schema
include /usr/local/etc/openldap/schema/redhat/autofs.schema
include /usr/local/etc/openldap/schema/redhat/kerberosobject.schema
# include local timesgroup schema:
include /usr/local/etc/openldap/schema/timesgroup.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
schemacheck on
sizelimit 200
timelimit 30 # Seconds
# password-hash {MD5}
database ldbm
suffix "dc=timesgroup,dc=com"
rootdn "cn=jatin,dc=timesgroup,dc=com"
rootpw {crypt}HGv4zIL8XuQr.
directory /usr/local/var/openldap-ldbm
# Indices to maintain
index uid pres,eq
index cn,sn pres,eq,sub
index objectClass eq
# ldbm access control definitions
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=jatin,dc=timesgroup,dc=com" write
by * none
access to attr=proxyAccess
by self read
by dn="cn=jatin,dc=timesgroup,dc=com" write
by * none
access to *
by dn="cn=jatin,dc=timesgroup,dc=com" write
by users read
----------------------------------------------------------------------------
any ideas???
Jatin
On 2001.11.08 23:51 Jeff Costlow wrote:
> You are correct to use the {CRYPT} prefix, the {MD5} prefix uses a
> different algorithm than unix crypt(3) with MD5 passwords.
> See this thread in the Faq-O-Matic for algorithm info.
> http://www.openldap.org/faq/data/cache/419.html
> Short answer: if a password starts with $1$, it was hashed by crypt(3).
>
> If you are using the password modify extended operation, read the
> slapd.conf man page, as you probably want to use something like:
> password-hash {crypt}
> password-crypt-salt-format "$1$%.8s"
> to have slapd crypt(3) the users password with the correct salt.
>
>
> If a passwd starts with $apr1$, it was generated by apache's htpasswd
> util, which uses a different, incompatible, MD5 algorithm. Kurt, would
> it make sense to add a new password handler to handle {apache} passwords?
> I know I might have found them useful at one point. I'd be willing to
> do the work. I'm sure the work done for that could be extended into any
> work done for RFC3112 (authPassword) work. BTW, anyone working on that?
>
>
> -----Original Message-----
> From: Jatin Nansi [mailto:jatin.nansi@timesgroup.com]
> Sent: Thursday, November 08, 2001 6:18 AM
> To: openldap-software@OpenLDAP.org
> Subject: Using MD5 passwords with LDAP
>
> The problem is that the user gets Invalid Credentials message
> whenver i try connecting as the user. if i change to passwd to
> using {crypt} create new passwd, then user authenticates.
> but not using {MD5} and the md5 crypted passwd.
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
> <TITLE>RE: Using MD5 passwords with LDAP</TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=2>You are correct to use the {CRYPT} prefix, the {MD5}
> prefix uses a different algorithm than unix crypt(3) with MD5
> passwords.</FONT></P>
>
> <P><FONT SIZE=2>See this thread in the Faq-O-Matic for algorithm
> info.</FONT>
> <BR><FONT SIZE=2><A HREF="http://www.openldap.org/faq/data/cache/419.html"
> TARGET="_blank">http://www.openldap.org/faq/data/cache/419.html</A></FONT>
> <BR><FONT SIZE=2>Short answer: if a password starts with $1$, it was
> hashed by crypt(3).</FONT>
> </P>
>
> <P><FONT SIZE=2>If you are using the password modify extended operation,
> read the slapd.conf man page, as you probably want to use something
> like:</FONT></P>
>
> <P><FONT SIZE=2>password-hash {crypt}</FONT>
> <BR><FONT SIZE=2>password-crypt-salt-format "$1$%.8s"</FONT>
> <BR><FONT SIZE=2>to have slapd crypt(3) the users password with the
> correct salt.</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=2>If a passwd starts with $apr1$, it was generated by
> apache's htpasswd util, which uses a different, incompatible, MD5
> algorithm. Kurt, would it make sense to add a new password handler
> to handle {apache} passwords? I know I might have found them useful
> at one point. I'd be willing to do the work. I'm sure the
> work done for that could be extended into any work done for RFC3112
> (authPassword) work. BTW, anyone working on that?</FONT></P>
> <BR>
>
> <P><FONT SIZE=2>-----Original Message-----</FONT>
> <BR><FONT SIZE=2>From: Jatin Nansi [<A
> HREF="mailto:jatin.nansi@timesgroup.com">mailto:jatin.nansi@timesgroup.com</A>]</FONT>
> <BR><FONT SIZE=2>Sent: Thursday, November 08, 2001 6:18 AM</FONT>
> <BR><FONT SIZE=2>To: openldap-software@OpenLDAP.org</FONT>
> <BR><FONT SIZE=2>Subject: Using MD5 passwords with LDAP</FONT>
> </P>
>
> <P><FONT SIZE=2>The problem is that the user gets Invalid Credentials
> message</FONT>
> <BR><FONT SIZE=2>whenver i try connecting as the user. if i change to
> passwd to </FONT>
> <BR><FONT SIZE=2>using {crypt} create new passwd, then user
> authenticates.</FONT>
> <BR><FONT SIZE=2>but not using {MD5} and the md5 crypted passwd. </FONT>
> </P>
>
> </BODY>
> </HTML>
>