[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: crypto without MD5 (ITS#3039)

To: openldap-its@OpenLDAP.org
Subject: Re: crypto without MD5 (ITS#3039)
From: Kurt@OpenLDAP.org
Date: Thu, 25 Mar 2004 18:34:56 GMT

You should report this problem to the Debian packagers of
OpenSSL.  OpenSSL should be instead without overriding the
system provided crypt(3) function.

As far as OpenLDAP configure, we assume whatever crypt(3) is
provided in the environment is the desired version of crypt(3).
If the environment provides multiple versions, we have no
way to know which one is correct.  We're not going to attempt
to guess.  (The installer could just as well have wanted the
version in OpenSSL over the version in -lcrypt.)

Kurt

At 09:05 AM 3/25/2004, mys@faveve.uni-stuttgart.de wrote:
>Full_Name: Martin Strauss
>Version: openldap-2.1.25
>OS: linux (debian woody)
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (129.69.120.70)
>
>
>Hi,
>Openldap links against libcrypto without checking whether
>the function call crypt is compatible to the version found in libcrypt (glibc).
>
>glibc provides an extension for password hashing :
>
>GNU EXTENSION
>       The glibc2 version of this function has the following  additional  fea-
>       tures.   If  salt is a character string starting with the three charac-
>       ters "$1$" followed by at most eight characters, and optionally  termi-
>       nated  by  "$",  then instead of using the DES machine, the glibc crypt
>       function uses an MD5-based algorithm,  and  outputs  up  to  34  bytes,
>       namely  "$1$<string>$", where "<string>" stands for the up to 8 charac-
>       ters following "$1$" in the salt, followed by 22 bytes chosen from  the
>       set [a-zA-Z0-9./].  The entire key is significant here (instead of only
>       the first 8 bytes).
>
>most authentification programms use this feature via pam,
>the same is true for the pam_ldap module.
>It would by nice making slapd compatible to this format.
> 
>However on a debian(woody) installation libcrypto (from openssl)
>does not provide this feature, and openldap configures with the TLS libraries
>-lssl -lcrypto , and is therefore incombatible to this format.
>
>I circumvent this by patching config.status file
>=> linking against -lssl -lcrypt -lcrypto works fine
>
>Packages :
>libssl0.9.6    0.9.6c-2.woody
>libc6          2.2.5-11.5
>
>Compilation:
>tar xzf ../archiv/openldap-stable-20031217.tgz
>
>cd openldap-2.1.25
>
>./configure --prefix=/usr/local/app/openldap-2.1.25\
>  --enable-syslog\
>  --without-cyrus-sasl\
>  --with-threads\
>  --with-tls\
>  --enable-slapd \
>    --enable-cleartext \
>    --enable-crypt \
>    --enable-bdb\
>  --enable-slurpd  \
>
>mv config.status config.status.orig
>sed -e "s/-lcrypto/-lcrypt -lcrypto/" config.status.orig > config.status
>./config.status
>
>make depend
>make
>
>thanx, Martin

Prev by Date: crypto without MD5 (ITS#3039)
Next by Date: Additional Backends (ITS#3040)
Index(es):
- Chronological
- Thread