[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using MD5 passwords with LDAP


Thanks for the reply, but as I have mentioned once below, and want to draw 
yr attention once again to it that I tried using the openldap 1.2 rpms that
with the rh7.0 system. I _am_ able to use MD5 auth with those. 
I even tried it once on rh7.2, using openldap 2.11 and that also works.
So finally it boils down to how redhat has managed to get this

Any ideas??

On 2001.11.08 22:04 Todd Lyons wrote:
> Jatin Nansi wanted us to know:
> >hi,
> >
> >i am trying to use openldap as  an authentication server. 
> >since rhl 7.0 uses MD5 passwds, and since i have over 
> >5000 users, i need to be able to authenticate with the 
> >same passwd string as from /etc/shadow.
> I have gone through this exact scenario.  OpenLDAP is only capable of
> using two characters of salt, not 8 like the shadow MD5 crypted password
> uses.  The result is that openldap is not capable of using shadow
> passwords as authentication.  It's highly possible that the code could
> be patched to allow this authentication to occur.  But I think I found a
> message or a note in a text file once that said that the ldap server was
> not intended to replicate functionality of the system password function.
> It can serve as a data storage for that system password data, but the
> client (system auth tools, imap server, etc) is to get the info and do
> the authentication itself.
> Now I am not a developer.  It's possible that I am wrong.  But the way
> that I ended up doing it (with Courier Imap) was that I put the shadow
> password entry in userPassword as clear text (ie no {crypt} in front of
> it) and then set CourierImap AUTHREBIND=0.  CouerierImap doesn't attempt
> to bind to the directory as the user, instead, it obtains the shadow
> password string and does the comparison internally.
> I've entertained patching it myself to do this but there are two
> problems with that:
> 1) My C coding abilities suck (Slepp Lukai was the guy who found the
> bits of code that determined that OpenLDAP could not use more than 2
> characters of salt)
> 2) The project maintainers probably won't accept it as it violates their
> "this is not to replace the system authentication tools" principle.
> At any rate, good luck with this.  There is a definite lack of
> information out there on the net.  If it turns out that we're compiling
> it wrong or have a devel lib missing that would magically make all this
> work, I wouldn't be suprised, but it's not documented anywhere.
> All of this was done with OpenLDAP 2.0.7.
> -- 
> Blue skies...		Todd
> | Get a bigger hammer!   |  Are you feeling lucky...punk?         |
> | http://www.mrball.net  |  I've had better days...               |
> | http://faq.mrball.net  |  It's the end of the world as we know i|