[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
crypto without MD5 (ITS#3039)
Full_Name: Martin Strauss
Version: openldap-2.1.25
OS: linux (debian woody)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (129.69.120.70)
Hi,
Openldap links against libcrypto without checking whether
the function call crypt is compatible to the version found in libcrypt (glibc).
glibc provides an extension for password hashing :
GNU EXTENSION
The glibc2 version of this function has the following additional fea-
tures. If salt is a character string starting with the three charac-
ters "$1$" followed by at most eight characters, and optionally termi-
nated by "$", then instead of using the DES machine, the glibc crypt
function uses an MD5-based algorithm, and outputs up to 34 bytes,
namely "$1$<string>$", where "<string>" stands for the up to 8 charac-
ters following "$1$" in the salt, followed by 22 bytes chosen from the
set [a-zA-Z0-9./]. The entire key is significant here (instead of only
the first 8 bytes).
most authentification programms use this feature via pam,
the same is true for the pam_ldap module.
It would by nice making slapd compatible to this format.
However on a debian(woody) installation libcrypto (from openssl)
does not provide this feature, and openldap configures with the TLS libraries
-lssl -lcrypto , and is therefore incombatible to this format.
I circumvent this by patching config.status file
=> linking against -lssl -lcrypt -lcrypto works fine
Packages :
libssl0.9.6 0.9.6c-2.woody
libc6 2.2.5-11.5
Compilation:
tar xzf ../archiv/openldap-stable-20031217.tgz
cd openldap-2.1.25
./configure --prefix=/usr/local/app/openldap-2.1.25\
--enable-syslog\
--without-cyrus-sasl\
--with-threads\
--with-tls\
--enable-slapd \
--enable-cleartext \
--enable-crypt \
--enable-bdb\
--enable-slurpd \
mv config.status config.status.orig
sed -e "s/-lcrypto/-lcrypt -lcrypto/" config.status.orig > config.status
./config.status
make depend
make
thanx, Martin