[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind using a user other than organizationalRole user

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Bind using a user other than organizationalRole user
From: Marcelo de Moraes Serpa <celoserpa@gmail.com>
Date: Wed, 7 Apr 2010 23:11:04 -0500
Cc: openldap-software@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=JQa+wDkBSE4M0eJSDcDwo7IkKx+ctUV7scfkdt4mokk=; b=AhLGvFgearnOjgU3knXOAxwjphhftiwg9nDGYl/9Pyw5xnS+0uCtuZ8bK3Po8G7zTC G9TQkeUxAQMnenBF6kFsYoAGS5Cpok9N1D3lQ5hQ5A4QoBqnf06CSi5oQQLmPPqqNP38 0GYE47cXdt72kIB6YO92w2w6viS3uq/N6GBDo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=uubatDURGrNuF0AK7Iw/Hlz9dK3OUCmfWxhit2VFFlMzwVEHFOySDRLi2bnE5/weOL 7nb9vtJtE5+iBXEsgWh3gwvPZTk5xIUiGNCUGAjhPdZNd3PkEwHHMdnoOQ8duru4KEZX 2PylqkAOj8eJCOIlB/tORpg05//idpr9Mi1F0=
In-reply-to: <4BBCBC30.4090306@stroeder.com>
References: <g2i1e5bcefd1004061128t1906e4e1sbc357a1f745558a1@mail.gmail.com> <20100407090445.675f5532@magenta.l4b.de> <s2y1e5bcefd1004070054x26c16ecfv6485a07c9623f0f0@mail.gmail.com> <4BBCBC30.4090306@stroeder.com>

Hello all,

Thank you for the insights.

In general: if you haven't explicitly defined an ACL, OpenLDAP is
configured to allow anonymous reads -- this is *not* sufficient to auth.
You will want to allow anonymous auth to the appropriate DNs.

Yeah, I figured that out. I probably created a situation where:
1) I tried authenticating without the proper ACL, it failed;
2) Entered trial and error mode, tried changing userPassword to {CLEARTEXT}secret_12345
3) Didn't work either;
4) Put the: "access to * by * read" ACL, restarted server.
5) Tried authenticating with secret_12345, didn't work
6) Too much time spent, couldn't spend more time on the issue. Tried just converting secret_12345 to SHA-1 and updating the value of userPassword
7) Worked!
8) Could finally relax and get out to get some fresh air ;)

So, the point is, I could get it to work. This is not to say I wouldn't like to know what happened, it is on my list, I might go through the process again next weekend and document my findings, but I think you guys already said what was to be said about the issue.

Cheers and peace!

Marcelo.

2010/4/7 Michael Ströder <michael@stroeder.com>

Marcelo de Moraes Serpa wrote:

> Hi Dieter, thanks for the reply.
>
> Yeah, the folks @ #openladp were kind enough to help me to debug this
> issue. It turned out that it was a simple detail (as mostly always :))
> -- When I created the ldif, I've put the password in clear text,
> however, I didn't do anything to tell openldap that it was actually
> cleartext nor I knew I had to. The whole time I though it had to do with
> ACLs (OpenLDAP denying read-access to userPassword), but the problem was
> that OpenLDAP was trying to authenticate using SHA-1, and the password
> was stored as clear text.
>
> The solution? Store the password as a SHA-1 hash. Nobody would want to
> store password as clear-text anyway.

There's nothing wrong with storing a clear-text password like

userPassword: secret_12345

in the directory entry. In fact you have to when e.g. using SASL/DIGEST-MD5
bind with in-directory passwords.

When processing a simple bind slapd looks whether a password is stored in
hashed form by looking at a magic prefix like {SSHA}. If that prefix is not
there it is assumed that the password is stored in clear and this gets compared.

> So, issue solved!

Hmm, I think you mixed up something.

Ciao, Michael.

References:
- Bind using a user other than organizationalRole user
  - From: Marcelo de Moraes Serpa <celoserpa@gmail.com>
- Re: Bind using a user other than organizationalRole user
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: Bind using a user other than organizationalRole user
  - From: Marcelo de Moraes Serpa <celoserpa@gmail.com>
- Re: Bind using a user other than organizationalRole user
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Replication problem: How to sync?
Next by Date: Question on back-perl
Index(es):
- Chronological
- Thread