[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticating against slapd installed from package

Marc Tardif <marc@interunion.ca> writes:

> * Marc Tardif <marc@interunion.ca> [2006-07-20 10:53 -0400]:
>> I have installed OpenLDAP 2.2.26 from package on Ubuntu 6.06 LTS. The
>> postinst script prompts for a password to create an admin user. However,
>> when I try to run the ldapsearch command as the admin with that password, I
>> get the following error message:
>>   $ ldapsearch -x -w password -D "cn=admin,dc=nodomain" '(objectclass=*)'
>>   ldap_bind: Invalid credentials (49)
> [snip]
>> So, any ideas what I might be doing wrong?
> I have managed to address the authentication problem encountered by
> ldapsearch. It seems that the encryption used for the password wasn't
> being recognized by the authentication mechanism. So, I changed the
> password for cleartext with the following commands:

> Then the ldapsearch command output the content of the LDAP database:
>   $ ldapsearch -x -w password -D "cn=admin,dc=nodomain" '(objectclass=*)'
>   ...
> So, here is the value for the userPassword attribute before ldapsearch
> worked:
>   userPassword:: e2NyeXB0fUY2ZGdUZmF0SlUubTY=
> And after ldapsearch started working:
>   userPassword:: d2FydGhvZ3M=
> Both are meant to be for the same password, so what might be the problem?
> Can I change the decryption algorithm from the ldapsearch options?

The first attribute value is the crypt hash of your cleartext
password, both are displayed base64 encoded, so it is quite easy to
decrypt your password with mimencode -u.
I presume that my first guessing, slapd has problems with your crypt
hashed password, comes true.
You may either change the hashing algorythm (see man slappasswd(8))
and use simple binds, or stick to cleartext and use a shared secret
authentication like SASL mechanism DIGEST-MD5.although I personally
prefer Kerberos v5 and GSSAPI.


Dieter Klünter | Systemberatung