[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP isn't binding when users have userPassword in {crypt} format


I'm using the OpenLDAP version  2.2.15  (From the HP Internet Express v2
bundle) to store my users information. 
I'm noticing that when the users have a clear text password value for
the userPassword attribute, I am able to bind with that user's
credentials using ldapsearch. I am also able to authenticate through
pam_ldap. However, if the userPassword is stored in OpenLDAP in {crypt}
format, then the bind fails with "Invalid Credentials" and consequently,
login also fails using pam_ldap.

Does anyone have any ideas why OpenLDAP isn't authenticating properly
when the user's password is stored in {crypt} format?

I'm wondering if it isn't an issue with this build of OpenLDAP, unless
someone knows of a configuration setting which may explain this.

I tried changing the rootpw value to {crypt} format in the slapd.conf
but this didn't help. I was still unable to bind as any user with a
{crypt} formatted password including the directory root user.

Here's another interesting and possibly related symptom.  The utility
'/opt/iexpress/openldap/sbin/slappasswd' (it's a sym link to 'slapd')
which can be used to generate a hashed value for a given cleartext
password.  This program works fine with everything but the{CRYPT}
scheme.  When I try to run this utilty to generate a {crypt} formatted
password string, it fails. Here is an example:

 # cd /opt/iexpress/openldap/sbin 
 # ./slappasswd -v -u -s hpadmin1 -h {CRYPT} -c "%.2s" 
Password generation failed for scheme {CRYPT}: scheme not recognized 

Any comments.. Suggestions? 


Marc Fontana 
Internet & Security  
e-mail: Marc.Fontana@hp.com