[Date Prev][Date Next]
crypto without MD5 (ITS#3039)
Full_Name: Martin Strauss
OS: linux (debian woody)
Submission from: (NULL) (188.8.131.52)
Openldap links against libcrypto without checking whether
the function call crypt is compatible to the version found in libcrypt (glibc).
glibc provides an extension for password hashing :
The glibc2 version of this function has the following additional fea-
tures. If salt is a character string starting with the three charac-
ters "$1$" followed by at most eight characters, and optionally termi-
nated by "$", then instead of using the DES machine, the glibc crypt
function uses an MD5-based algorithm, and outputs up to 34 bytes,
namely "$1$<string>$", where "<string>" stands for the up to 8 charac-
ters following "$1$" in the salt, followed by 22 bytes chosen from the
set [a-zA-Z0-9./]. The entire key is significant here (instead of only
the first 8 bytes).
most authentification programms use this feature via pam,
the same is true for the pam_ldap module.
It would by nice making slapd compatible to this format.
However on a debian(woody) installation libcrypto (from openssl)
does not provide this feature, and openldap configures with the TLS libraries
-lssl -lcrypto , and is therefore incombatible to this format.
I circumvent this by patching config.status file
=> linking against -lssl -lcrypt -lcrypto works fine
tar xzf ../archiv/openldap-stable-20031217.tgz
mv config.status config.status.orig
sed -e "s/-lcrypto/-lcrypt -lcrypto/" config.status.orig > config.status