[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: "harry.jede@arcor.de" <harry.jede@arcor.de>
Subject: Re: fedora and openldap
From: Judith Flo Gaya <jflo@imppc.org>
Date: Mon, 11 Apr 2011 11:48:21 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <201104091723.01247.harry.jede@arcor.de>
References: <4D9B87A2.8040400@imppc.org> <alpine.SOC.2.00.1104060836290.8588@toolbox.rutgers.edu> <4D9C7812.2000003@imppc.org> <201104091723.01247.harry.jede@arcor.de>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20110125 Lightning/1.0b2 Lanikai/3.1.7



On 04/09/2011 05:23 PM, harry.jede@arcor.de wrote:

I find those hard to read, so:

$ echo e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= | openssl enc -d
-base64 {MD5}i27/v62xAo6b8GmvaGPx6w==

$ echo e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= |
openssl enc -d -base64 {crypt}$1$DuT3b0KP$MF6d9Pj8axRAztEoU45T40



I did tried to add the md5 variable in the pam stack but
unsuccessfully,

No, no,
$1$ at the beginnig of the password hash indicates, crypt's
implementation of md5. And this has nothing to do with MD5 hashes,

Thanks for the clarification, didn't know it

I also tried to change the authconfig command to
generate md5 passwords but they didn't fit the ones in the server.

A common misunderstanding,

 From "man slappasswd"

        -c crypt-salt-format
Specify  the format of the salt passed to crypt(3) when generatâ
ing {CRYPT} passwords.  This string needs to  be  in  sprintf(3)
format  and  may include one (and only one) %s conversion.  This
conversion will be substituted with a string  random  characters
from  [A-Za-z0-9./].  For example, â%.2sâ provides a two characâ
ter salt and â$1$%.8sâ tells some versions of crypt(3) to use an
MD5  algorithm  and  provides  8 random characters of salt.  The
default is â%sâ, which provides 31 characters of salt.

If you set in slapd.conf:
password-crypt-salt-format '$1$%.8s'

then the password is stored in crypt's md5 format.

But normaly that is not what you want. Even with md5 is crypt much
weaker then ssha. Only if you have really old unices in your network
you should use crypt.

considering your words I will go for ssha passwords, I'll try to figureout how to do it, after all tests I don't know how to change this. Atleast i could see that the password exop option in the pam_ldap.conflets the server to apply the security to the password, so I think I canchange it within the slapd.conf file.

do you suggest to use salt?

Thanks a lot for your help,
j

--
Judith Flo Gaya
Systems Administrator IMPPC
e-mail: jflo@imppc.org
Tel (+34) 93 554-3079
Fax (+34) 93 465-1472

Institut de Medicina Predictiva i Personalitzada del CÃncer
Crta Can Ruti, CamÃ de les Escoles s/n
08916 Badalona, Barcelona,
Spain
http://www.imppc.org

Follow-Ups:
- Re: fedora and openldap
  - From: harry.jede@arcor.de

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de

Prev by Date: Re: slapo-accesslog
Next by Date: Re: fedora and openldap
Index(es):
- Chronological
- Thread