[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
password changes/encryption help
- To: openldap-software@OpenLDAP.org
- Subject: password changes/encryption help
- From: Brian Jones <jonesy@CS.Princeton.EDU>
- Date: Fri, 19 Dec 2003 16:05:09 -0500
- User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
hi all.
I believe I had this working at some point much earlier in my testing.
Now that I'm almost ready for production, of course, it broke :-(
I have linux (currently RH 9) clients that I would like to have change
their passwords using the standard passwd binary and pam_ldap. The
OpenLDAP server (v 2.1.21 IIRC) is also running RH9, with back-bdb. It
has been built with the 'enable-crypt' option.
Passwords can be changed using the command line program 'passwd'.
However, the passwords are useless (exiting that user's shell and
'su'ing back to that user with the new password fails with 'Incorrect
password'). In my /etc/ldap.conf file, I'm using 'pam_password md5'.
I've also tried 'pam_password crypt'. Here's where my confusion starts:
If I have the password crypted on the client before being sent to the
server, is the server then going to crypt it *again*, because I compiled
with '--enable-crypt'? There's no 'password-hash {}' line in my
slapd.conf, but the man page says that SSHA is the default.
This seems like it would mean I should just specify 'pam_password clear'
in ldap.conf on the client, and 'password-hash {CRYPT}' on the server.
However, this did not work either. Passwords appear to be generated (no
errors from the 'passwd' program - and I can verify with an LDAP gui
that it's changed), but the resulting passwords can't be used for
authentication. The passwords in the directory look like standard
13-character crypt passwords, if that helps.
Any clues hereby solicited.
brian.