[Date Prev][Date Next] [Chronological] [Thread] [Top]

crypto without MD5 (ITS#3039)

Full_Name: Martin Strauss
Version: openldap-2.1.25
OS: linux (debian woody)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

Openldap links against libcrypto without checking whether
the function call crypt is compatible to the version found in libcrypt (glibc).

glibc provides an extension for password hashing :

       The glibc2 version of this function has the following  additional  fea-
       tures.   If  salt is a character string starting with the three charac-
       ters "$1$" followed by at most eight characters, and optionally  termi-
       nated  by  "$",  then instead of using the DES machine, the glibc crypt
       function uses an MD5-based algorithm,  and  outputs  up  to  34  bytes,
       namely  "$1$<string>$", where "<string>" stands for the up to 8 charac-
       ters following "$1$" in the salt, followed by 22 bytes chosen from  the
       set [a-zA-Z0-9./].  The entire key is significant here (instead of only
       the first 8 bytes).

most authentification programms use this feature via pam,
the same is true for the pam_ldap module.
It would by nice making slapd compatible to this format.
However on a debian(woody) installation libcrypto (from openssl)
does not provide this feature, and openldap configures with the TLS libraries
-lssl -lcrypto , and is therefore incombatible to this format.

I circumvent this by patching config.status file
=> linking against -lssl -lcrypt -lcrypto works fine

Packages :
libssl0.9.6    0.9.6c-2.woody
libc6          2.2.5-11.5

tar xzf ../archiv/openldap-stable-20031217.tgz

cd openldap-2.1.25

./configure --prefix=/usr/local/app/openldap-2.1.25\
  --enable-slapd \
    --enable-cleartext \
    --enable-crypt \
  --enable-slurpd  \

mv config.status config.status.orig
sed -e "s/-lcrypto/-lcrypt -lcrypto/" config.status.orig > config.status

make depend

thanx, Martin