[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP with PAM.D mixes {CRYPT} and {MD5}

To: "'me@ame.de'" <me@ame.de>
Subject: RE: LDAP with PAM.D mixes {CRYPT} and {MD5}
From: Jeff Costlow <j.costlow@f5.com>
Date: Tue, 28 Jan 2003 09:14:16 -0800
Cc: openldap-software@OpenLDAP.org

Please read the FAQ I referenced below.
$1$salt$hash is the MD5 algorithm of the crypt(3) function call.  In other words, you should preface {CRYPT} in front of anything that looks like that.  It is _not_ the {MD5} algorithm.

The {MD5} algorithm is for base64-encoded MD5 hash of the users password.  If you use {MD5}$1$salt$hashed, good luck getting it to work, because it won't.

In my directory, I used {CRYPT}$1$salt$hashed, and it works just fine.

-----Original Message-----
From: Matthias Eichler [mailto:mylists@ame.de]
Sent: Tuesday, January 28, 2003 2:04 AM
To: Jeff Costlow
Cc: openldap-software@OpenLDAP.org
Subject: RE: LDAP with PAM.D mixes {CRYPT} and {MD5}


Hi Jeff,

I think maybe you are wrong now...
CRYPT is the "old" password style of /etc/shadow, is most spread
in the systems and most compatible but not as secure as
MD5 passwords!
So thats why we really want to store MD5 passwords and not crypt
passwords...:-)

Bye,
Matthias

On Mon, 2003-01-27 at 18:40, Jeff Costlow wrote:
> CRYPT and MD5 passwords are completely different.  CRYPT is what is stored in /etc/password.  MD5 is just an MD5 hash of the password.
> I think you really want CRYPT passwords, not MD5.
> 
> http://www.openldap.org/faq/data/cache/419.html
> 
> 
> -----Original Message-----
> From: Matthias Eichler [mailto:mylists@ame.de]
> Sent: Monday, January 27, 2003 6:43 AM
> To: openldap-software@OpenLDAP.org; pamldap@padl.com
> Subject: LDAP with PAM.D mixes {CRYPT} and {MD5}
> 
> 
> Hi Folx,
> 
> we have some LDAP server with pam_ldap and MD5 passwords
> running, but it seems that wheter LDAP or PAM.D mixes
> MD5 with CRYPT:
> 
> A user has a userPassword set to: {MD5}$1$STRINGBLABLA
> 
> When I do a passwd over pam.d as this user now, passwd
> stores the new password as a {MD5}-String into the LDAP
> directory, but declares this as {CRYPT}.
> Looks like this:
> 
> ---
> userPassword: {crypt}$1$bEHlpx.2$L9WYWbmhStUV9iLQ1tg6m.
> ---
> 
> It does not makes sense at all, but it definetely stores
> a MD5-String and declares this as crypt...
> 
> Does anybody knows how this can happen and how do we
> get rid of this bug?!?
> - Yes, we have MD5 set in the slapd.conf
> - Yes, we have MD5 set in the pam_ldap.conf
> - Yes, we have MD5 set in the /etc/pam.d/* files
> 
> Thank you for your help.
> 
> Matthias
-- 
Matthias Eichler <mylists@ame.de>
AME Aigner Media & Entertainment

Prev by Date: Re: lack of ordering support
Next by Date: Anybody help? how to start openldap service on several NICs?
Index(es):
- Chronological
- Thread