Re: [OPENLDAP] slapd password confusion

[Technical Home <technicalhome@aliceadsl.fr>]

Harry Jede a écrit :
> Am Samstag, 24. Januar 2009 21:02 schrieb Technical Home:
>   
> > Hello,
> >
> > In my quest to install and understand how works a PDC Samba/OpenLDAP,
> > I encountered a strange problem when setting my slapd admin password.
> > Here is my server configuration :
> >
> > @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
> >   
> > buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap
> > d
> >
> > I'm running ubuntu-server 8.10 Intrepid. My ubuntu is up to date. I
> > installed the slapd package from ubuntu repository.
> > dpkg asked me to specify a password for my admin account and I
> > entered a password like this one : totototo12;
> > And now when I try to modify my LDAP tree with the command
> > "ldapmodify -x -D cn=admin,cn=config -W", at the password prompt, I
> > can connect with all this password :
> > totototo12;
> > totototo12
> > totototo1
> > totototo
> > totototo23
> > tototototo
> > ...
> >
> > The only condition to login is that I wrote the beginning of my
> > password
> >
> > : totototo
> >
> > Why slapd does not care about the end of my password ?
> >     
> It is not slapd!
>
>   
> > If I specify a smaller password like toto12; in slapd configuration
> > with dpkg-reconfigure, there is no problem...
> >     
> Sure.
> Sounds like "traditional crypt".
>
> Ubuntu like Debian use a "config script" to configure the package slapd. 
> This script use the traditional crypt function to encrypt the password. 
> So the password is truncated after 8 bytes.
>
> You should update your admin pasword after installation of slapd. To 
> generate a more secure password, use slappasswd. Here some examples:
>
> CRYPT:
>
> :~$slappasswd -s totototo -c zz
> {CRYPT}zzlVHEvuiIwkM
> :~$slappasswd -s totototo12 -c zz
> {CRYPT}zzlVHEvuiIwkM
>
> better CRYPT with md5:
>
> :~$slappasswd -s totototo -h '{CRYPT}' -c '$1$%.8s'
> {CRYPT}$1$sX0cQlKb$ehdgtM8BZ1QuMGfAaFNRg/
> :~$slappasswd -s totototo12 -h '{CRYPT}' -c '$1$%.8s'
> {CRYPT}$1$KYMw4wRU$UhkdIJ8ljQ15y7ThEUBJh0
>
> Recommonded SSHA:
>
> :~$slappasswd -s totototo
> {SSHA}UXb5JkA9naBe8vDJrnn7K9kpnl2ocxjK
> :~$slappasswd -s totototo12
> {SSHA}iU53gYoWmiA8xwxaXy2hOv5tGTGAjvQv
>
> slappasswd does not change your LDAP-DB.
>
>
>
>   
> > If you need more informations to help me to undersatnd what happens,
> > just ask me ;) .
> >
> > Thanks in advance,
> > Gilles
> >     
>
>   
Thanks Harry and Michael ! I now understand why.
I now open a new Thread for an other problem. ^^


Gilles