Re: userPassword - if it's stored in {crypt} format, how do you make ldappasswd keep it that way when a user changes it?

[pll+ldap@lanminds.com]

In a message dated: Tue, 20 May 2003 11:19:33 PDT
"Jeff Costlow" said:

>slapd.conf(5) and search for password-hash and password-crypt-salt-format.
>
>here's what I have in my slapd.conf:
>password-hash {CRYPT}
>password-crypt-salt-format "$1$.8s"
>
>but if you use the 2nd line above, make sure that you have a crypt that suppor
>ts $1$....$.... md5-based password.
>$1$...$.... is still {CRYPT}, not {MD5}!!!

According to the slapd.conf man page, this isn't accurate.  The 
password-crypt-salt-format parameter simply takes an sprintf(3) 
format string to be passed to crypt(3).  In SOME cases, crypt will 
interpret the string "$1$%.8s" to mean that it should use an MD5 
algorithm for the encryption, not the standard DES, which is what 
crypt(3) defaults to.

For standard DES-based crypt(3) passwords, I belive the correct 
combination to be:

	password-hash {CRYPT}
	password-crypt-salt-format "%.2s"

This creates a 2 character salt, which is what the DES/crypt(3) uses. 
Specifying "$1$%.8.s" would specify 8 characters of salt.  Therefore, 
if you're crypt(3) does not handle passing it 8 characters correctly, 
then you may be asking for trouble by specifying a hash of {CRYPT} 
and a salt length of 8 characters. (this is just speculation.)

Of course, if you're using glibc2, then you're safe, since crypt(3) 
on a glibc2 based machine correctly handles the passing of the 
sprintf(3) string "$1$%.8s".
-- 

Seeya,
Paul
--
Key fingerprint = 1660 FECC 5D21 D286 F853  E808 BB07 9239 53F1 28EE

	It may look like I'm just sitting here doing nothing,
   but I'm really actively waiting for all my problems to go away.

	 If you're not having fun, you're not doing it right!