[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid Credentials using hashed password

To: Scott Dutton <sdutto01@yahoo.com>
Subject: Re: Invalid Credentials using hashed password
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 23 Feb 2004 18:26:45 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20040223172841.22826.qmail@web12507.mail.yahoo.com>
References: <20040223172841.22826.qmail@web12507.mail.yahoo.com>

At 09:28 AM 2/23/2004, Scott Dutton wrote:
>I am having a problem using the ldap client utilities with a hashed password.

I assume you mean you are having trouble authenticating where
the server is configured with a hashed password.  Clients, themselves,
(when simple authentication is in use) deal only with plaintext
passwords.

>Here are the logical steps I have performed:
>
>1. Set up slapd.conf as noted in the openldap admin guide (with our minor modifications to it)
>2. Ran slappasswd -s password to get the SSHA value. Copied and pasted into the slapd.conf file after the rootpw parameter.
>3. At this point I can add some entries in using a command such as "ldapadd -f entries.ldif -x -D "cn=ldapman,dc=example,dc=com" -w password".

I assume you (re)started the server somewhere between 2 and 3.

>The problem is at some point (possibly after stopping and starting the ldap service), I get the invalid credentials error when trying to search or add more entries. If I re-run the slappasswd -s password command and re-copy and paste it into the slapd.conf file, I am able to perform ldap client operations again - until the next time it gives me the invalid credentials message.
>I can't seem to find the common denominator of when the hashed password can not be read by the ldap client utilities but it could possibly be after a stop and start of the ldap service.

Note that the hashed password is never "read by the ldap client utilities".
The LDAP client utilities pass whatever value you enter as the simple
password over the wire (in the clear).  The server then applies
an hash to this value, comparing the result of the hash with that
specified in rootpw directive.

Note that if you change slapd.conf, then you have to restart the
service before those changes are realized.

>Anyone have any idea why I have to keep rehashing the same password over and over and re-entering it over and over into the slapd.conf file in order to make changes, additions, etc, etc???

I suspect things begin to work because you failed to restart
the server due to previous changes to slapd.conf.  That is,
previous change you thought were realized weren't because you
didn't restart the server.  Then, having problems, you reset
the password and restart.  Things now work... but not because
you reset the password, but because you restarted the server.

Either that or you just didn't memorize the correct password. :-)

Kurt

References:
- Invalid Credentials using hashed password
  - From: Scott Dutton <sdutto01@yahoo.com>

Prev by Date: Re: Remapping user info per-system?
Next by Date: Re: sorting results in JLDAP
Index(es):
- Chronological
- Thread