I'm relatively sure that this is part of the same issue I struggled with a while back. Someone pointed me at an old post (from 1999) which contained the fix.
http://www.openldap.org/lists/openldap-software/200103/msg00125.html It involves changing the order of the included libs when you compile openldap.
Here's a paste of the content of that post:
Thus spake Kurt D. Zeilenga:
> I believe there was an OpenLDAP ITS filed and closed. It's not really
> an OpenLDAP issue. We just use the crypt(3) the linker provides (based
> upon user provided configuration information). Other than avoiding
> {crypt} passwords (which are not portable) as crypt(3) differs widely
> from system to system, I suggest modifying OpenSSL not to provide
> crypt(3) on systems which provide one themselves.
I can see why you'd think that. It looks like OpenSSL 0.9.6 supports MD5
passwords now to; I see in the change log:
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
[Bodo Moeller]
Anyhow, I made this simple patch that moves $(LUTIL_LIBS) ahead of
$(SECURITY_LIBS), in case anyone else is searching the archives for a
solution to the same problem.
Wil
--
W. Reilly Cooley wcooley@nakedape.cc
Naked Ape Consulting http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and http://lnxs.org
people who take care of them. *Now with integrated crypto!*
irc.openprojects.net #lnxs
Men have a much better time of it than women; for one thing they marry later;
for another thing they die earlier.
-- H.L. Mencken
--- ./servers/slapd/Makefile.in.orig Thu Mar 8 15:57:24 2001
+++ ./servers/slapd/Makefile.in Thu Mar 8 16:02:35 2001
@@ -43,8 +43,9 @@
# $(LTHREAD_LIBS) must be last
XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber
XXLIBS = $(LDBM_LIBS) $(SLAPD_LIBS) \
+ $(LUTIL_LIBS) \
$(SECURITY_LIBS) \
- $(LDIF_LIBS) $(LUTIL_LIBS)
+ $(LDIF_LIBS)
XXXLIBS = $(LTHREAD_LIBS) $(MODULES_LIBS)
BUILD_OPT = "--enable-slapd"
Harry Rüter wrote:
> Hi,
>
>
>>Hi,
>>
>>
>>I've got a big problem to migrate md5 passwords from shadow file to
>>OpenLdap.
>>
>>I run OpenLdap 2.0.25 on a gentoo 1.2 distribution and use
>>MigrationsTools-44 .
>>
>>My password into shadow file is : $1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
>
>
> Is it really the entry from /etc/shadow or is it what
> the Migrationtools "generates" ?
>
>
>>When migrating it into ldap, userPassword is :
>>{crypt}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1
>
>
> Seems you have (i think) DefaultHASH {crypt},
> or the Migrationtools do have ...
>
>
>>And Binding doesn't work.
>
>
> Sure.
>
>
>>I tryed to change this by {MD5}$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1, but
>>it doesn't work too.
>>So I used GQ (gtk front end to ldap) and and generate the same password
>>into md5. It given : {MD5}CY9rzUYh03PK3k6DJie09g==
>>And it works!!!
>
>
> Try to look, how the entry now looks like (with ldapsearch).
> It will be base64-encoded and maybe looks like
> "$1$s9.9KZi6$yIQDwx0FHTCHTHUX4DTAU1".
>
> Seems to be a problem of the Migrationtools i'd say ...
>
>
>>But what happened? The two md5 passwords seem to doesn't have the same
>>form composition.
>
>
> Yes, because obviously the first one isn't really the MD5-hash
> of your password , as the algorithm guarantees that
> the same input generates the same md5hashed output !!!
>
>
>>
>>--
>>Frédéric Gaudy - Gestionnaire NTIC
>
>
> Greets Harry
>