[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Migrated users cannot bind - HELP!

To: "'Kevin Appel'" <kappel@clunet.edu>
Subject: RE: Migrated users cannot bind - HELP!
From: "Matt Stone" <matt@cse-corp.com>
Date: Sun, 16 Jan 2005 17:54:16 -0500
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <20050116174323.DUNJ5807.mta13.adelphia.net@appel4f95fe0gs>
Thread-index: AcT7ku8xRXbi0dBZQS2njxzBd0u4JAASXz7wAAWJMBAACrqLsA==

Hey Kevin,

It's my understanding the "::" indicates that the userPassword is base64
encoded.  Therefore prefixing it with {CRYPT} would not be appropriate
because the decoded base64 string already contains the {CRYPT} prefix.

I appreciate your input and welcome any other comments.

Regards,
Matt

-----Original Message-----
From: Kevin Appel [mailto:kappel@clunet.edu] 
Sent: Sunday, January 16, 2005 12:47 PM
To: 'Matt Stone'
Cc: openldap-software@OpenLDAP.org
Subject: RE: Migrated users cannot bind - HELP!

Hi Matt,

I looked at the LDIF file you attached and noticed there is an issue with
the userPassword value you are using the LDIF.  The first user contains a
valid password; it is prefixed with the correct hash type {CRYPT}.   The
second userPassword however does not contain the prefix describing what hash
type is used.  Try to replace:
userPassword::
 e0NSWVBUfW9MUEZRYxIREA==
with
userPassword: {CRYPT}e0NSWVBUfW9MUEZRYxIREA==

and see if this works.  If it does not work, how are you obtaining this
userPassword from the old system?

I hope this helps a little.

Kevin


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Matt Stone
Sent: Sunday, January 16, 2005 7:13 AM
To: stran@amnh.org
Cc: openldap-software@OpenLDAP.org
Subject: RE: Migrated users cannot bind - HELP!

Sam,

I tried the version of LDAP you suggested and I'm experiencing the same
issue.

I've attached an LDIF that contains the 2 users I'm testing with.  Would you
please try it for yourself?

Binding as uid=mstone,ou=people,dc=example works

Binding as uid=gadmin,ou=people,dc=example does NOT work.

Both of these users have there password set to: Loser@123

Again, the difference is gadmin had is password set by Aphelion.  Mstone had
his password set on the OpenLDAP server.

I really appreciate your help.

Matt

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Samuel Tran
Sent: Sunday, January 16, 2005 12:54 AM
To: Matt Stone
Cc: openldap-software@OpenLDAP.org
Subject: RE: Migrated users cannot bind - HELP!

Matt,

I am not familiar with openLDAP on Windows platform at all.

Please check this link:
http://lucas.bergmans.us/hacks/openldap/

Lucas built OpenLDAP 2.2.19 with OpenSSL 0.9.7e.

Please install his package it may solve your problem.

Sam


> Hey Sam,
>
> Thanks for the speedy response!
>
>> Hi Matt,
>>
>> What flavor of UNIX/Linux are you using?
>
> I'm actually running on a Windows box using Cygwin.
>
>> What version of OpenLDAP are you using?
>
> OpenLDAP 2.2.17-2.
>
>> Are you building OpenLDAP against OpenSSL?
>
> I didn't build it.  I downloaded it from the Cygwin setup tool.  Should I
> rebuild it?
>
>> If so what version of OpenSSL.
>
> 0.9.7e-1.
>
>>
>> Most likely your OpenLDAP linked against OpenSSL (-lcrypto) without
>> prior
>> linking against the proper system library (-lcrypt) so the crypt()
>> function of OpenSSL is used instad of the system crypt() function. Your
>> version of OpenSSL may not handle md5 crypt hashed passwords.
>>
>
> Is there any way I can test this?
>
>>
>> I am using OpenSSL 0.9.7e which handles md5 passwords.
>> You should installed this version of OpenSSL and recompile your OpenLDAP
>> against it.
>>
>
> Again, is there any way I can determine how OpenLDAP was compiled and
> linked?
>
> Thanks again for your help!
>
> Matt
>
>>
>> Hope this help.
>>
>> Sam
>>
>> > I've migrated my users from Aphelion to OpenLDAP via an LDIF.  I've
>> > confirmed the userPassword's are the same value in both servers.  When
>> I
>> > attempt to bind to the OpenLDAP server, I get error 49 (Invalid
>> > Credentials).
>> >
>> > The userPassword for the account I'm testing with looks like this
>> > internally: {CRYPT}oLPFQc
>> >
>> > Any ideas of why can't I bind to the OpenLDAP server?
>> >
>> > Is it possible Aphelion uses a different crypt() method than OpenLDAP?
>> > Because I created a new user on the OpenLDAP server and set its
>> password
>> > to
>> > the same plain text value as the account that won't bind.  That
>> > userPassword
>> > looks like this: {CRYPT}5RpLGC8nBNlhw
>> >
>> > I CAN bind to the new account.
>> >
>> > IF this helps, I know Aphelion uses DES for encryption per their
>> > documentation. How do I get OpenLDAP to do that?  Or how do I get the
>> > migrated users to bind period?
>> >
>> > Please help!  I don't want to make all my users reset their passwords.
>> >
>> > Any thoughts are welcome.
>> >
>> > Regards,
>> > Matt
>
>

References:
- RE: Migrated users cannot bind - HELP!
  - From: "Kevin Appel" <kappel@clunet.edu>

Prev by Date: Solved: index_param failed
Next by Date: RE: Migrated users cannot bind - HELP!
Index(es):
- Chronological
- Thread