[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [OPENLDAP] slapd password confusion



Am Samstag, 24. Januar 2009 21:02 schrieb Technical Home:
> Hello,
>
> In my quest to install and understand how works a PDC Samba/OpenLDAP,
> I encountered a strange problem when setting my slapd admin password.
> Here is my server configuration :
>
> @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
>   
> buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap
>d
>
> I'm running ubuntu-server 8.10 Intrepid. My ubuntu is up to date. I
> installed the slapd package from ubuntu repository.
> dpkg asked me to specify a password for my admin account and I
> entered a password like this one : totototo12;
> And now when I try to modify my LDAP tree with the command
> "ldapmodify -x -D cn=admin,cn=config -W", at the password prompt, I
> can connect with all this password :
> totototo12;
> totototo12
> totototo1
> totototo
> totototo23
> tototototo
> ...
>
> The only condition to login is that I wrote the beginning of my
> password
>
> : totototo
>
> Why slapd does not care about the end of my password ?
It is not slapd!

> If I specify a smaller password like toto12; in slapd configuration
> with dpkg-reconfigure, there is no problem...
Sure.
Sounds like "traditional crypt".

Ubuntu like Debian use a "config script" to configure the package slapd. 
This script use the traditional crypt function to encrypt the password. 
So the password is truncated after 8 bytes.

You should update your admin pasword after installation of slapd. To 
generate a more secure password, use slappasswd. Here some examples:

CRYPT:

:~$slappasswd -s totototo -c zz
{CRYPT}zzlVHEvuiIwkM
:~$slappasswd -s totototo12 -c zz
{CRYPT}zzlVHEvuiIwkM

better CRYPT with md5:

:~$slappasswd -s totototo -h '{CRYPT}' -c '$1$%.8s'
{CRYPT}$1$sX0cQlKb$ehdgtM8BZ1QuMGfAaFNRg/
:~$slappasswd -s totototo12 -h '{CRYPT}' -c '$1$%.8s'
{CRYPT}$1$KYMw4wRU$UhkdIJ8ljQ15y7ThEUBJh0

Recommonded SSHA:

:~$slappasswd -s totototo
{SSHA}UXb5JkA9naBe8vDJrnn7K9kpnl2ocxjK
:~$slappasswd -s totototo12
{SSHA}iU53gYoWmiA8xwxaXy2hOv5tGTGAjvQv

slappasswd does not change your LDAP-DB.



>
> If you need more informations to help me to undersatnd what happens,
> just ask me ;) .
>
> Thanks in advance,
> Gilles

-- 

Gruss
	Harry Jede