[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

On Tue, 5 Apr 2011, Judith Flo Gaya wrote:

[with ldappasswd I get]

[but with passwd I get]

[after running]
authconfig --enableforcelegacy --disablecachecreds --enableldap --enableldapauth --ldapserver= --ldapbasedn=dc=linux,dc=imppc,dc=org --disableldaptls --disablefingerprint --disablewinbind --disablewins --disablesssd --disablesssdauth --disablenis --enablecache --enablelocauthorize --usemd5 --updateall

This command takes care of all the pam.d files, and considering that the ssh does work with the password set by the ldappasswd command, where is the problem?

I find those hard to read, so:

$ echo e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= | openssl enc -d -base64

$ echo e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= | openssl enc -d -base64

So, with ldappasswd you're getting MD5 userPassword values (and you seem to be happy with that), but with passwd you're getting crypt userPassword values (which are not using the MD5 scheme you seem to be happy with).

With that in mind, I'd propose the command that "takes care of all the pam.d files" might not be as complete as you hoped. I'd check the "password" pam stack and make sure that it's configured to generate MD5 passwords or, much better yet, use the LDAP Password Modify operation just as your ldappasswd invocation does.

So your real question going forward is: I've got an OpenLDAP installation that happily uses the {MD5} scheme for userPassword attributes, how do I get passwd(1) to write into that format? The exact methods for this depend on your PAM stack and the available modules; you might be better off asking the Fedora community (assuming they provided you with this "authconfig" command) or the provider(s) of your PAM module(s) and/or your passwd(1) command.