Re: password changes/encryption help

[Matthew Riedel <mriedel@lanl.gov>]

Nevermind.. ID-10-T Error.  I have to learn the difference between 
/etc/ldap.conf and /etc/openldap/ldap.conf...

<grumble>

Matt

On Feb 19, 2004, at 4:15 PM, Matthew Riedel wrote:

> I am having the exact same problem.  I am able to change passowrds 
> successfully, but it seems to mutilate them.
>
> I have password-hash {SSHA} explicitly defined in the slapd.conf, but 
> it still shows up as a {crypt} password when you view the entry.  A 
> typical scenario:
>
> 1) Set users password manually, using SSHA on server
> 2) log in as user on client
> 3) Change password using "passwd"
> 4) Look at the user again from the server side, and it shows up as 
> {CRYPT} on the server, even though I have password-hash {SSHA} in 
> slapd.conf
>
> I also have "pam_password exop" in the /etc/openldap/ldap.conf file
>
> This is Red Hat 9 w/ openldap 2.0.27 and nss_ldap 202
>
> Any one have any ideas out there?
>
> Matt Riedel
>
> On Dec 19, 2003, at 2:05 PM, Brian Jones wrote:
>
> > hi all.
> >
> > I believe I had this working at some point much earlier in my 
> > testing. Now that I'm almost ready for production, of course, it 
> > broke :-(
> >
> > I have linux (currently RH 9) clients that I would like to have 
> > change their passwords using the standard passwd binary and pam_ldap. 
> > The OpenLDAP server (v 2.1.21 IIRC) is also running RH9, with 
> > back-bdb. It has been built with the 'enable-crypt' option.
> >
> > Passwords can be changed using the command line program 'passwd'. 
> > However, the passwords are useless (exiting that user's shell and 
> > 'su'ing back to that user with the new password fails with 'Incorrect 
> > password'). In my /etc/ldap.conf file, I'm using 'pam_password md5'. 
> > I've also tried 'pam_password crypt'. Here's where my confusion 
> > starts:
> >
> > If I have the password crypted on the client before being sent to the 
> > server, is the server then going to crypt it *again*, because I 
> > compiled with '--enable-crypt'? There's no 'password-hash {}' line in 
> > my slapd.conf, but the man page says that SSHA is the default.
> >
> > This seems like it would mean I should just specify 'pam_password 
> > clear' in ldap.conf on the client, and 'password-hash {CRYPT}' on the 
> > server. However, this did not work either. Passwords appear to be 
> > generated (no errors from the 'passwd' program - and I can verify 
> > with an LDAP gui that it's changed), but the resulting passwords 
> > can't be used for authentication. The passwords in the directory look 
> > like standard 13-character crypt passwords, if that helps.
> >
> > Any clues hereby solicited.
> > brian.