Re: why is openldap not recognizing MD5 passwords?

[Pierangelo Masarati <ando@sys-net.it>]

Marten Lehmann wrote:
> Hello,
>
> > Assuming the above is the verbatim value you're trying to use, I note 
> > that "digest" is not a valid MD5 value (see RFC 3112 and RFC 1321).  
> > Otherwise, what value is not being treated as expected?  Can you post 
> > it?
>
> the value I'm storing into the userPassword-attribut is
>
> {MD5}$1$ime/LI2d$EAiFdaweZsL/TIlvBrDDw0
>
> ("testpw" as md5)
>
> Authentication against the value fails. But maybe I'm looking at the 
> wrong end?
This doesn't look like a MD5 password; the value slapd expects is 
something like

slappasswd -h '{md5}' -s testpw
{MD5}ju4+/d4ets9mOaWISDYr9A==

Your value looks much like some extension to crypt(3) that allows to use 
strong(er) encryption than usual crypt(3) by providing a specially 
crafted salt.  In that case, assuming you compiled slapd with {CRYPT} 
support using the same crypt(3) that generated that hash you should be 
able to use that secret by using the {CRYPT} scheme instead of {MD5}.  
You need to realize, of course, that this data is not portable.

p.
which is base64 encoded; the non-base64 string is expected to be 16 
bytes long (128 bits).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------