[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: userPassword - if it's stored in {crypt} format, how do you make ldappasswd keep it that way when a user changes it?



I fail to see what is inaccurate in my mail (other than the typo "$1$.8s" -> "$1$%.8s")

I hope you are not confusing {MD5} with {CRYPT}.
You should use {CRYPT} _in all cases when you are using crypt(3)_.
If you attempt to use:
{MD5}$1$abcd$qQ0kR31KkqAPBzUtCqAe.. 
Good Luck, it won't work.

{CRYPT}$1$abcd$qQ0kR31KkqAPBzUtCqAe..
Will work as long as your crypt(3) supports md5-style crypts.

Please check the Faq-O-Matic pages at:
http://www.openldap.org/faq/data/cache/419.html


The password-crypt-salt-format was specifcally written so that you could specify the format of a salt for different behaviors of crypt(3).  Ever seen "_..abcrypt" "enhanced DES" versions of crypt(3)?

-----Original Message-----
From: pll+ldap@lanminds.com [mailto:pll+ldap@lanminds.com]
Sent: Tuesday, May 20, 2003 1:37 PM
To: Jeff Costlow
Cc: Lawrence, Mike (White Plains); openldap-software@OpenLDAP.org
Subject: Re: userPassword - if it's stored in {crypt} format, how do you
make ldappasswd keep it that way when a user changes it? 



In a message dated: Tue, 20 May 2003 11:19:33 PDT
"Jeff Costlow" said:

>slapd.conf(5) and search for password-hash and password-crypt-salt-format.
>
>here's what I have in my slapd.conf:
>password-hash {CRYPT}
>password-crypt-salt-format "$1$.8s"
>
>but if you use the 2nd line above, make sure that you have a crypt that suppor
>ts $1$....$.... md5-based password.
>$1$...$.... is still {CRYPT}, not {MD5}!!!

According to the slapd.conf man page, this isn't accurate.  The 
password-crypt-salt-format parameter simply takes an sprintf(3) 
format string to be passed to crypt(3).  In SOME cases, crypt will 
interpret the string "$1$%.8s" to mean that it should use an MD5 
algorithm for the encryption, not the standard DES, which is what 
crypt(3) defaults to.

For standard DES-based crypt(3) passwords, I belive the correct 
combination to be:

	password-hash {CRYPT}
	password-crypt-salt-format "%.2s"

This creates a 2 character salt, which is what the DES/crypt(3) uses. 
Specifying "$1$%.8.s" would specify 8 characters of salt.  Therefore, 
if you're crypt(3) does not handle passing it 8 characters correctly, 
then you may be asking for trouble by specifying a hash of {CRYPT} 
and a salt length of 8 characters. (this is just speculation.)

Of course, if you're using glibc2, then you're safe, since crypt(3) 
on a glibc2 based machine correctly handles the passing of the 
sprintf(3) string "$1$%.8s".
-- 

Seeya,
Paul
--
Key fingerprint = 1660 FECC 5D21 D286 F853  E808 BB07 9239 53F1 28EE

	It may look like I'm just sitting here doing nothing,
   but I'm really actively waiting for all my problems to go away.

	 If you're not having fun, you're not doing it right!