Solaris 10 openldap authentication with md5 passwords

[Giannis Fotopoulos <jfotop@ath.forthnet.gr>]

Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 
passwords on a Solaris 10 system to an openldap server. If passwords are 
stored using crypt, everything works correctly. But if the password in 
openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from 
padl (http://www.padl.com/pam_ldap.html)
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:

|{md5}2FeO34RYzgb7xbt2pYxcpA==|


The error messages when trying to 'su -' to the ldap user are:

|Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:35:23 servername su: [ID 810491 auth.crit]'su ldapuser'  failed*for*  mike on /dev/pts/4

|and for ssh:

|Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for*  ldapuser from pc7395.sa.example.int
Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for*  ldapuser from pc7395.sa.example.int
Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey*for*  scponly from 10.24.4.52 port 35390 ssh2
Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for*  ldapuser from pc7395.sa.example.int
Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam*for*  ldapuser from 192.168.1.25 port 41075 ssh2
Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password*for*  ldapuser from 192.168.1.25 port 41075 ssh2
Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password*for*  ldapuser from 192.168.1.25 port 41075 ssh2
Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password*for*  ldapuser from 192.168.1.25 port 41075 ssh2
|
Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf)
and anything else that I imagine could help (comments of the files have
been removed).

Please feel free to ask for any other configuration file:

*/etc/pam.conf*


|login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth sufficient       pam_unix_auth.so.1  server_policy debug
login   auth required           /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient       pam_rhosts_auth.so.1
rlogin auth requisite        pam_authtok_get.so.1
rlogin auth required         pam_dhkeys.so.1
rlogin auth required         pam_unix_cred.so.1
rlogin  auth required          pam_unix_auth.so.1 use_first_pass
rsh    auth sufficient       pam_rhosts_auth.so.1
rsh    auth required         pam_unix_cred.so.1
rsh    auth required         pam_unix_auth.so.1
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth sufficient       pam_unix_auth.so.1 server_policy
other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
other   auth required           pam_unix_auth.so.1 use_first_pass debug
passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
cron    account required      pam_unix_account.so.1
other   account requisite     pam_roles.so.1
other   account sufficient       pam_unix_account.so.1 server_policy
other   account required        /usr/lib/security/pam_ldap.so.1 debug
other   session required      pam_unix_session.so.1
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy

|*/etc/ldap.conf
*|base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn cn=sysadm@example.int,ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5

|*/etc/nsswitch.conf
*|passwd:     files ldap
group:      files ldap
hosts:      files dns
ipnodes:   files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files
|*
/etc/security/policy.conf*
|AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
||CRYPT_DEFAULT=1|

Thanks in advance for any response...!!
	
|

|