On Tuesday 03 April 2007, Rocky Zhou wrote: > Now I'm making the openldap and Kerberos working together, I have a > question about the password the ldap used. The configuration file > /usr/local/etc/openldap/slapd.conf has these lines: > # rootpw secret > rootpw {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ > while the second line is generated by slappasswd, I tried to use: > sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f > passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ' > to import accounts info into the database, but it reports: > ldap_bind: Invalid credentials (49) > > If I use: > rootpw secret > sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f > passwd.ldif -w 'secret', it works. > > So why does the '{SSHA}' method failed? Because a hashes are one-way. It would be pointless if you could use the hash as a clear-text equivalent. If you want strong authentication, don't use simple binds (thus, you need to end up removing rootpw). Regards, Buchan -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpjoQd3Optvp.pgp
Description: PGP signature