[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using MD5 passwords with LDAP (no progress)



Jeff,

Thanks for this reply.

I tried using the passwd with both {CRYPT} and {MD5}
and it does not work. 
Another thing to note is that when i use ldapsearch with the rootdn
i get a totally whacky userPassword field. it looks nothing like the 
real hashed passwd. 

so if the hashed passwd looks like: 

{crypt}$1$IUVFU.Gl$EAxiELOKANSaTYac6q59W0


the ldapsearch passwd looks like this:

userPassword:: e2NyeXB0fSQxJElVVkZVLkdsJEVBeGlFTE9LQU5TYVRZcGo2cTU5VzA=

(note the 2 colons)

and the really mad thing is that gq still manages to show the same passwd
correctly, ie:

{crypt}$1$IUVFU.Gl$EAxiELOKANSaTYac6q59W0

and ofcourse the authentication doesnot work.

so now i am totally lost of the going ons here.


my slapd.conf (if it helps):

----------------------------------------------------------------------------------

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /usr/local/etc/openldap/schema/redhat/autofs.schema
include         /usr/local/etc/openldap/schema/redhat/kerberosobject.schema

# include local timesgroup schema:
include         /usr/local/etc/openldap/schema/timesgroup.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

schemacheck     on
sizelimit       200
timelimit       30      # Seconds

# password-hash {MD5}


database        ldbm

suffix          "dc=timesgroup,dc=com"

rootdn          "cn=jatin,dc=timesgroup,dc=com"
rootpw          {crypt}HGv4zIL8XuQr.

directory       /usr/local/var/openldap-ldbm

# Indices to maintain
index uid pres,eq
index cn,sn pres,eq,sub
index   objectClass     eq

# ldbm access control definitions

access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=jatin,dc=timesgroup,dc=com" write
        by * none

access to attr=proxyAccess
        by self read
        by dn="cn=jatin,dc=timesgroup,dc=com" write
        by * none

access to *
        by dn="cn=jatin,dc=timesgroup,dc=com" write
        by users read
----------------------------------------------------------------------------


any ideas???


Jatin


On 2001.11.08 23:51 Jeff Costlow wrote:
> You are correct to use the {CRYPT} prefix, the {MD5} prefix uses a
> different algorithm than unix crypt(3) with MD5 passwords.
> See this thread in the Faq-O-Matic for algorithm info.
> http://www.openldap.org/faq/data/cache/419.html
> Short answer: if a password starts with $1$, it was hashed by crypt(3).
> 
> If you are using the password modify extended operation, read the
> slapd.conf man page, as you probably want to use something like:
> password-hash {crypt}
> password-crypt-salt-format "$1$%.8s"
> to have slapd crypt(3) the users password with the correct salt.
> 
> 
> If a passwd starts with $apr1$, it was generated by apache's htpasswd
> util, which uses a different, incompatible, MD5 algorithm.  Kurt, would
> it make sense to add a new password handler to handle {apache} passwords?
>  I know I might have found them useful at one point.  I'd be willing to
> do the work.  I'm sure the work done for that could be extended into any
> work done for RFC3112 (authPassword) work.  BTW, anyone working on that?
> 
> 
> -----Original Message-----
> From: Jatin Nansi [mailto:jatin.nansi@timesgroup.com]
> Sent: Thursday, November 08, 2001 6:18 AM
> To: openldap-software@OpenLDAP.org
> Subject: Using MD5 passwords with LDAP
> 
> The problem is that the user gets Invalid Credentials message
> whenver i try connecting as the user. if i change to passwd to 
> using {crypt} create new passwd, then user authenticates.
> but not using {MD5} and the md5 crypted passwd. 
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
> <TITLE>RE: Using MD5 passwords with LDAP</TITLE>
> </HEAD>
> <BODY>
> 
> <P><FONT SIZE=2>You are correct to use the {CRYPT} prefix, the {MD5}
> prefix uses a different algorithm than unix crypt(3) with MD5
> passwords.</FONT></P>
> 
> <P><FONT SIZE=2>See this thread in the Faq-O-Matic for algorithm
> info.</FONT>
> <BR><FONT SIZE=2><A HREF="http://www.openldap.org/faq/data/cache/419.html";
> TARGET="_blank">http://www.openldap.org/faq/data/cache/419.html</A></FONT>
> <BR><FONT SIZE=2>Short answer: if a password starts with $1$, it was
> hashed by crypt(3).</FONT>
> </P>
> 
> <P><FONT SIZE=2>If you are using the password modify extended operation,
> read the slapd.conf man page, as you probably want to use something
> like:</FONT></P>
> 
> <P><FONT SIZE=2>password-hash {crypt}</FONT>
> <BR><FONT SIZE=2>password-crypt-salt-format &quot;$1$%.8s&quot;</FONT>
> <BR><FONT SIZE=2>to have slapd crypt(3) the users password with the
> correct salt.</FONT>
> </P>
> <BR>
> 
> <P><FONT SIZE=2>If a passwd starts with $apr1$, it was generated by
> apache's htpasswd util, which uses a different, incompatible, MD5
> algorithm.&nbsp; Kurt, would it make sense to add a new password handler
> to handle {apache} passwords?&nbsp; I know I might have found them useful
> at one point.&nbsp; I'd be willing to do the work.&nbsp; I'm sure the
> work done for that could be extended into any work done for RFC3112
> (authPassword) work.&nbsp; BTW, anyone working on that?</FONT></P>
> <BR>
> 
> <P><FONT SIZE=2>-----Original Message-----</FONT>
> <BR><FONT SIZE=2>From: Jatin Nansi [<A
> HREF="mailto:jatin.nansi@timesgroup.com";>mailto:jatin.nansi@timesgroup.com</A>]</FONT>
> <BR><FONT SIZE=2>Sent: Thursday, November 08, 2001 6:18 AM</FONT>
> <BR><FONT SIZE=2>To: openldap-software@OpenLDAP.org</FONT>
> <BR><FONT SIZE=2>Subject: Using MD5 passwords with LDAP</FONT>
> </P>
> 
> <P><FONT SIZE=2>The problem is that the user gets Invalid Credentials
> message</FONT>
> <BR><FONT SIZE=2>whenver i try connecting as the user. if i change to
> passwd to </FONT>
> <BR><FONT SIZE=2>using {crypt} create new passwd, then user
> authenticates.</FONT>
> <BR><FONT SIZE=2>but not using {MD5} and the md5 crypted passwd. </FONT>
> </P>
> 
> </BODY>
> </HTML>
>