PAM Filtering Not working with CRYPT Passwds

[Anton Chu <anton.chu@telecommand.com>]

I have installed the ldapns.schema in my ubuntu 10.04 ldap server to enable host based authentication/filtering.  I have some ubuntu 10.10 ldap clients that requires filtering.  All my ldap users have passwords in crypt format that I have converted to an ldif file using the PADL migration.pl scripts.  After importing them into my ldap server, the pam filtering wasn't working; however, when I changed the passwords from crypt to clear or md5 or sha1, filtering worked fine.  The question is how can I get filtering to work with {CRYPT} password hashing?

cat /etc/ldap.conf | grep -v ^# | grep -v ^$

> base dc=web,dc=net
> uri ldap://10.112.18.2
> ldap_version 3
> rootbinddn cn=admin,dc=web,dc=net
> bind_policy soft
> pam_filter |(host=webdev120)(host=\*)
> nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
    
> cat common-auth | grep -v ^# | grep -v ^$
> auth    [success=2 default=ignore]    pam_unix.so nullok_secure
> auth    [success=1 default=ignore]    pam_ldap.so use_first_pass
> auth    requisite            pam_deny.so
> auth    required            pam_permit.so

> cat common-account | grep -v ^# | grep -v ^$
> account    [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so 
> account    [success=1 default=ignore]    pam_ldap.so 
> account    requisite            pam_deny.so
> account    required            pam_permit.so

> cat common-password | grep -v ^# | grep -v ^$
> password    [success=2 default=ignore]    pam_unix.so obscure sha512
> password    [success=1 user_unknown=ignore default=die]    pam_ldap.so use_authtok try_first_pass
> password    requisite            pam_deny.so
> password    required            pam_permit.so