On Tuesday 03 April 2007, Rocky Zhou wrote:
> Now I'm making the openldap and Kerberos working together, I have a
> question about the password the ldap used. The configuration file
> /usr/local/etc/openldap/slapd.conf has these lines:
> # rootpw secret
> rootpw {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ
> while the second line is generated by slappasswd, I tried to use:
> sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f
> passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ'
> to import accounts info into the database, but it reports:
> ldap_bind: Invalid credentials (49)
>
> If I use:
> rootpw secret
> sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f
> passwd.ldif -w 'secret', it works.
>
> So why does the '{SSHA}' method failed?
Because a hashes are one-way.
It would be pointless if you could use the hash as a clear-text equivalent.
If you want strong authentication, don't use simple binds (thus, you need to
end up removing rootpw).
Regards,
Buchan
--
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpjoQd3Optvp.pgp
Description: PGP signature