[Date Prev][Date Next] [Chronological] [Thread] [Top]

Incorporating md5-BSD-style passwd-hash in openldap (fwd)



	Hi!

	I'm dealing with md5-BSD-style password problem when integrating
an unix system authentication with openldap, using pam_ldap, as a lot of
people already did.

	As far as I know, a part of the problem is solved when we reorder
de libs used to build openldap (as shown in attached patch) using
--enable-crypt (which is auto enabled when configure found crypt(3) on
your system).

	After doing this you'll be able to authenticate on ldap, however
you're using crypt(3) from your system, which might not support
md5-BSD-style hashed passwords, and this is the main reason why openldap
team (correct me if I'm wrong) adopted as a future path only to support
openssl's hash algorithms.

	The other part of the problem is changing the password. In that
case openldap generates and stores a simple crypt(3) password.

	I've watched openssl development and they already support
md5-bsd-style passwd, since version 0.9.6a-beta2:

# ./openssl version
OpenSSL 0.9.6a 5 Apr 2001
# ./openssl passwd -1 -salt "thesalt" testing
$1$thesalt$/lDHZdWThB1ytP6T3QBRM0
# ./openssl passwd -salt "thesalt" testing (generates simple crypt
thsYYME6sTlh.                               salt="th")

	What is still missing is to incorporate this extension to
crypt() function on openssl libs, but the work is being done!

	I have a strong motivation to add a new password-hash type,
something like:

{md5crypt}$1$thesalt$/lDHZdWThB1ytP6T3QBRM0

in order to solve this once for all in a clean way.

	What do you think of incorporate that on openldap?

	Are password-hash functions implemented on
* lutil_authpassword()	coded in libraries/liblutil/authpasswd.c
* lutil_passwd()	coded in libraries/liblutil/passwd.c

	Is this self-contained (appears to be)?

	Would my task be harder than code 2 new functions,
chk_md5crypt() and hash_md5crypt(), with the changes to pw_schemes[] for
both lib functions?

	What are the side effects?

	I'm probably missing something, please advise!

	Thanks in advance.
	Best regards,

-- 
	Paulo Matos
 ----------------------------------- ----------------------------------
|Sys & Net Admin                    | Serviço de Informática           |
|Faculdade de Ciências e Tecnologia | Tel: +351-21-2941346             |
|Universidade Nova de Lisboa        | Fax: +351-21-2948548             |
|P-2825-114 Caparica                | e-Mail: pjsm@fct.unl.pt          |
 ----------------------------------- ----------------------------------

diff -uNr openldap-2.0.7.orig/servers/slapd/Makefile.in openldap-2.0.7/servers/slapd/Makefile.in
--- openldap-2.0.7.orig/servers/slapd/Makefile.in	Thu Oct  5 17:05:37 2000
+++ openldap-2.0.7/servers/slapd/Makefile.in	Wed Mar 28 09:11:51 2001
@@ -43,8 +43,9 @@
 # $(LTHREAD_LIBS) must be last
 XLIBS = libbackends.a -lavl -lldbm -lldif -llutil -lldap_r -llber
 XXLIBS = $(LDBM_LIBS) $(SLAPD_LIBS) \
+	 $(LUTIL_LIBS) \
 	 $(SECURITY_LIBS) \
-	 $(LDIF_LIBS) $(LUTIL_LIBS)
+	 $(LDIF_LIBS) 
 XXXLIBS = $(LTHREAD_LIBS) $(MODULES_LIBS)
 
 BUILD_OPT = "--enable-slapd"