[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: why '{SSHA}***' method is "Invalid credentials (49)"?



On Tuesday 03 April 2007, Rocky Zhou wrote:
> Now I'm making the openldap and Kerberos working together, I have a
> question about the password the ldap used. The configuration file
> /usr/local/etc/openldap/slapd.conf has these lines:
> # rootpw                secret
> rootpw          {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ
> while the second line is generated by slappasswd, I tried to use:
> sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f
> passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ'
> to import accounts info into the database, but it reports:
> ldap_bind: Invalid credentials (49)
>
> If I use:
> rootpw                secret
> sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f
> passwd.ldif -w 'secret', it works.
>
> So why does the '{SSHA}' method failed?

Because a hashes are one-way.

It would be pointless if you could use the hash as a clear-text equivalent.

If you want strong authentication, don't use simple binds (thus, you need to 
end up removing rootpw).

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpjoQd3Optvp.pgp
Description: PGP signature