[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap



Judith Flo Gaya wrote:
> On 04/06/2011 02:44 PM, Aaron Richton wrote:
> > On Tue, 5 Apr 2011, Judith Flo Gaya wrote:
> >
> > [with ldappasswd I get]
> >
> >> e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0=
> >
> > [but with passwd I get]
> >
> >> e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA=
> >
> > [after running]
> >
> >> authconfig --enableforcelegacy --disablecachecreds --enableldap
> >> --enableldapauth --ldapserver=172.19.5.13
> >> --ldapbasedn=dc=linux,dc=imppc,dc=org --disableldaptls
> >> --disablefingerprint --disablewinbind --disablewins --disablesssd
> >> --disablesssdauth --disablenis --enablecache --enablelocauthorize
> >> --usemd5 --updateall
> >>
> >> This command takes care of all the pam.d files, and considering
> >> that the ssh does work with the password set by the ldappasswd
> >> command, where is the problem?
> >
> > I find those hard to read, so:
> >
> > $ echo e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= | openssl enc -d
> > -base64 {MD5}i27/v62xAo6b8GmvaGPx6w==
> >
> > $ echo e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= |
> > openssl enc -d -base64 {crypt}$1$DuT3b0KP$MF6d9Pj8axRAztEoU45T40
>
> sorry, i should have provide them
>
> > So, with ldappasswd you're getting MD5 userPassword values (and you
> > seem to be happy with that), but with passwd you're getting crypt
> > userPassword values (which are not using the MD5 scheme you seem to
> > be happy with).
> >
> > With that in mind, I'd propose the command that "takes care of all
> > the pam.d files" might not be as complete as you hoped. I'd check
> > the "password" pam stack and make sure that it's configured to
> > generate MD5 passwords or, much better yet, use the LDAP Password
> > Modify operation just as your ldappasswd invocation does.
>
> I did tried to add the md5 variable in the pam stack but
> unsuccessfully,
No, no,
$1$ at the beginnig of the password hash indicates, crypt's 
implementation of md5. And this has nothing to do with MD5 hashes,


> I also tried to change the authconfig command to 
> generate md5 passwords but they didn't fit the ones in the server.
A common misunderstanding,

>From "man slappasswd"

       -c crypt-salt-format
Specify  the format of the salt passed to crypt(3) when generatâ
ing {CRYPT} passwords.  This string needs to  be  in  sprintf(3)
format  and  may include one (and only one) %s conversion.  This
conversion will be substituted with a string  random  characters
from  [A-Za-z0-9./].  For example, â%.2sâ provides a two characâ
ter salt and â$1$%.8sâ tells some versions of crypt(3) to use an
MD5  algorithm  and  provides  8 random characters of salt.  The
default is â%sâ, which provides 31 characters of salt.

If you set in slapd.conf:
password-crypt-salt-format '$1$%.8s'

then the password is stored in crypt's md5 format.

But normaly that is not what you want. Even with md5 is crypt much 
weaker then ssha. Only if you have really old unices in your network 
you should use crypt.

-- 

Harry Jede