Re: Why?

[Stephan Krings <slothkri@zedat.fu-berlin.de>]

Hello,

> >The LDIF-entry you've posted, also contains another problem:
> >
> >userPassword: {crypt}$1$xxb015.t$82nccnBPZbYxYgunoshP91
> 
> This may or may not be valid.  It depends upon your implementation
> of crypt(3).  On many systems, crypt(3) supports a variety of
> algorithms.  The '{crypt}' userPassword scheme supports whatever
> crypt(3) supports as that what it uses internally.

I think the original author mentioned Linux as his target platform and
I don't see a way to get the crypt-function common on Linux to use
another algorithm.

But of course you're totally right in pointing this out. I just wanted
to avoid another possible pitfall for the original author.

> >userPassword: {md5}$1$xxb015.t$82nccnBPZbYxYgunoshP91
> 
> This is NOT an RFC2307 '{md5}' password and will not work.
> (The fact that the passwd(5) value may be generated using
> MD5 does not make the value compatible with RFC2307 scheme).

You're right once again. I never stumbled over that, because I just
followed the faqs on www.openldap.org when I tried using pam_ldap. SHA
and its salted version seem to be heavily recommended there and this
always worked nicely for me.

Regards,

Stephan