[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSHA encryption and migration from 2.0 to 2.2

--On Thursday, March 02, 2006 1:24 PM -0600 Darrell Swoap <dswoap@rackspace.com> wrote:

My organization currently uses several OpenLDAP 2.0 server for  purposes
of authenticating users against a centralized database.   Users in the
directory currently have a mix of encryption schemes for  their
userPassword attributes (MD5 and SSHA) which works fine at the  moment.
When  using slapcat and slapadd to populate a new OpenLDAP  2.2 server,
binds for users with an MD5 encrypted password continue  to work, but
users with an SSHA encrypted password fail to bind and  receive the
"invalid credentials" error.

These symptoms occur when doing a bind in association with an
ldapsearch.  That is, binding with a dn whose entry contains an MD5-
encrypted userPassword attribute works, but the bind fails when the
entry contains an SSHA-encrypted userPassword attribute.  Also, this
affects OpenLDAP 2.2 server packages for both RedHat EL3/4 and Debian
Sarge.  (Note that I'm using pre-packaged software rather than  software
from source.)

Interestingly, the "rootpw" in slapd.conf is encrypted SSHA, and I  can
bind as the rootdn user just fine.

Thanks in advance for any suggestions or information,

I suggest that you don't use vendor packages from these vendors. I believe the SSHA issues is a known problem with the debian packages and their crypt linking. Not sure about redhat.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html