[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP with PAM.D mixes {CRYPT} and {MD5}

Please read the FAQ I referenced below.
$1$salt$hash is the MD5 algorithm of the crypt(3) function call.  In other words, you should preface {CRYPT} in front of anything that looks like that.  It is _not_ the {MD5} algorithm.

The {MD5} algorithm is for base64-encoded MD5 hash of the users password.  If you use {MD5}$1$salt$hashed, good luck getting it to work, because it won't.

In my directory, I used {CRYPT}$1$salt$hashed, and it works just fine.

-----Original Message-----
From: Matthias Eichler [mailto:mylists@ame.de]
Sent: Tuesday, January 28, 2003 2:04 AM
To: Jeff Costlow
Cc: openldap-software@OpenLDAP.org
Subject: RE: LDAP with PAM.D mixes {CRYPT} and {MD5}

Hi Jeff,

I think maybe you are wrong now...
CRYPT is the "old" password style of /etc/shadow, is most spread
in the systems and most compatible but not as secure as
MD5 passwords!
So thats why we really want to store MD5 passwords and not crypt


On Mon, 2003-01-27 at 18:40, Jeff Costlow wrote:
> CRYPT and MD5 passwords are completely different.  CRYPT is what is stored in /etc/password.  MD5 is just an MD5 hash of the password.
> I think you really want CRYPT passwords, not MD5.
> http://www.openldap.org/faq/data/cache/419.html
> -----Original Message-----
> From: Matthias Eichler [mailto:mylists@ame.de]
> Sent: Monday, January 27, 2003 6:43 AM
> To: openldap-software@OpenLDAP.org; pamldap@padl.com
> Subject: LDAP with PAM.D mixes {CRYPT} and {MD5}
> Hi Folx,
> we have some LDAP server with pam_ldap and MD5 passwords
> running, but it seems that wheter LDAP or PAM.D mixes
> MD5 with CRYPT:
> A user has a userPassword set to: {MD5}$1$STRINGBLABLA
> When I do a passwd over pam.d as this user now, passwd
> stores the new password as a {MD5}-String into the LDAP
> directory, but declares this as {CRYPT}.
> Looks like this:
> ---
> userPassword: {crypt}$1$bEHlpx.2$L9WYWbmhStUV9iLQ1tg6m.
> ---
> It does not makes sense at all, but it definetely stores
> a MD5-String and declares this as crypt...
> Does anybody knows how this can happen and how do we
> get rid of this bug?!?
> - Yes, we have MD5 set in the slapd.conf
> - Yes, we have MD5 set in the pam_ldap.conf
> - Yes, we have MD5 set in the /etc/pam.d/* files
> Thank you for your help.
> Matthias
Matthias Eichler <mylists@ame.de>
AME Aigner Media & Entertainment