[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: opeLDAP + backsql + salted_hashed_password, how to adopt the mappings



On 12/16/12 12:04 +0100, DavidHornung wrote:
I have to say thank you! I changed in the table ldap_attr_mappings the value of userPassword from
persons.password

to
text('{CRYPT}'||persons.password)

Now I am able to auth again the salted MD5 passwords!

One further question:
I tried to use blowfish
UPDATE persons SET password = crypt('secret', gen_salt('bf'));
instead of md5
UPDATE persons SET password = crypt('secret', gen_salt('bf'));

but i could not authenticate, what could be the problem?

Check your local manpage for crypt(3) to see if blowfish is supported on
your system, and that the ID matches the postgresql output.


Yes, it gives

             ID  | Method
---------------------------------------------------------
             1   | MD5
             2a  | Blowfish (not in mainline glibc; added in some
                 | Linux distributions)
             5   | SHA-256 (since glibc 2.7)
             6   | SHA-512 (since glibc 2.7)


and the 2a is also given back from postgresql crypt

When using the '{CRYPT}' identifier, you're telling slapd to make a 'crypt'
system call to verify the hash. If that is failing for blowfish (but
working for md5), that indicates that your problem is likely with how glibc
was compiled on your system.

Check with your distribution's glibc maintainer to verify they have
included blowfish support (for the crypt call).

--
Dan White