[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem changing passwords after import

Title: RE: Problem changing passwords after import

Thank you, I will try this route.

-----Original Message-----
From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org on behalf of Howard Chu
Sent: Tue 8/14/2007 5:07 AM
To: Rick Tautin
Cc: openldap-software@openldap.org
Subject: Re: Problem changing passwords after import

Rick Tautin wrote:
> Once I change the users password I can successfully do a ldapwhoami, so
> I would assume that I am binding at that point.  I guess I am look on
> how to proceed with users that have not had their passwords changed as
> the manager.  Is there a different way that I should have imported them?

No, not really, short of cracking all of the crypt'd passwords so you could
import their plaintext. The point is that you need to compile slapd with
--enable-crypt and make sure that the crypt() routine you link with is the same
one as (or compatible to) the system uses for its own authentication checks. As
pointed out in the FAQ http://www.openldap.org/faq/index.cgi?file=1041 if
you're using OpenSSL it's very likely that you've got the wrong one.

> Thanks
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Monday, August 13, 2007 9:28 PM
> To: Rick Tautin
> Cc: Pierangelo Masarati; openldap-software@openldap.org
> Subject: Re: Problem changing passwords after import
> Rick Tautin wrote:
>> The directory is the only place that there is user information.  I
> took
>> all the entries out of the old password file and the only thing that
> is
>> in there are the local accounts.  So if it is not getting its
>> credentials from the directory I don't know where it would be getting
> it
>> from.  Also when I stop the server I am unable to check mail or ftp to
>> our servers. 
> You're missing the crucial point that Unix services can authenticate
> users
> against an LDAP database without performing an LDAP Bind operation on
> that
> user. I.e., with sufficient privileges nss_ldap can just retrieve a
> user's
> userPassword attribute and authenticate against it when it is stored in
> crypt(3) format, even if slapd doesn't itself support crypt (or the same
> version of crypt).

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/