[Date Prev][Date Next] [Chronological] [Thread] [Top]

password changes/encryption help

hi all.

I believe I had this working at some point much earlier in my testing. Now that I'm almost ready for production, of course, it broke :-(

I have linux (currently RH 9) clients that I would like to have change their passwords using the standard passwd binary and pam_ldap. The OpenLDAP server (v 2.1.21 IIRC) is also running RH9, with back-bdb. It has been built with the 'enable-crypt' option.

Passwords can be changed using the command line program 'passwd'. However, the passwords are useless (exiting that user's shell and 'su'ing back to that user with the new password fails with 'Incorrect password'). In my /etc/ldap.conf file, I'm using 'pam_password md5'. I've also tried 'pam_password crypt'. Here's where my confusion starts:

If I have the password crypted on the client before being sent to the server, is the server then going to crypt it *again*, because I compiled with '--enable-crypt'? There's no 'password-hash {}' line in my slapd.conf, but the man page says that SSHA is the default.

This seems like it would mean I should just specify 'pam_password clear' in ldap.conf on the client, and 'password-hash {CRYPT}' on the server. However, this did not work either. Passwords appear to be generated (no errors from the 'passwd' program - and I can verify with an LDAP gui that it's changed), but the resulting passwords can't be used for authentication. The passwords in the directory look like standard 13-character crypt passwords, if that helps.

Any clues hereby solicited.
brian.