[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: Aaron Richton <richton@nbcs.rutgers.edu>
Subject: Re: fedora and openldap
From: Judith Flo Gaya <jflo@imppc.org>
Date: Wed, 6 Apr 2011 16:26:26 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <alpine.SOC.2.00.1104060836290.8588@toolbox.rutgers.edu>
References: <4D9B87A2.8040400@imppc.org> <alpine.SOC.2.00.1104060836290.8588@toolbox.rutgers.edu>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20110125 Lightning/1.0b2 Lanikai/3.1.7



On 04/06/2011 02:44 PM, Aaron Richton wrote:

On Tue, 5 Apr 2011, Judith Flo Gaya wrote:

[with ldappasswd I get]

e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0=


[but with passwd I get]

e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA=


[after running]

authconfig --enableforcelegacy --disablecachecreds --enableldap
--enableldapauth --ldapserver=172.19.5.13
--ldapbasedn=dc=linux,dc=imppc,dc=org --disableldaptls --disablefingerprint
--disablewinbind --disablewins --disablesssd --disablesssdauth --disablenis
--enablecache --enablelocauthorize --usemd5 --updateall

This command takes care of all the pam.d files, and considering that the ssh
does work with the password set by the ldappasswd command, where is the
problem?


I find those hard to read, so:

$ echo e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= | openssl enc -d -base64
{MD5}i27/v62xAo6b8GmvaGPx6w==

$ echo e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= | openssl enc -d -base64
{crypt}$1$DuT3b0KP$MF6d9Pj8axRAztEoU45T40

sorry, i should have provide them


So, with ldappasswd you're getting MD5 userPassword values (and you seem
to be happy with that), but with passwd you're getting crypt userPassword
values (which are not using the MD5 scheme you seem to be happy with).

With that in mind, I'd propose the command that "takes care of all the
pam.d files" might not be as complete as you hoped. I'd check the
"password" pam stack and make sure that it's configured to generate MD5
passwords or, much better yet, use the LDAP Password Modify operation just
as your ldappasswd invocation does.

I did tried to add the md5 variable in the pam stack but unsuccessfully,I also tried to change the authconfig command to generate md5 passwordsbut they didn't fit the ones in the server.

In the end I changed the pam_ldap.conf file with this line:
pam_password exop

and it worked although I'm not pretty sure what is this option doing(I'm reading the rfc now).I'm also considering changing the encryption in the server side to matchthis auth protocol.


So your real question going forward is: I've got an OpenLDAP installation
that happily uses the {MD5} scheme for userPassword attributes, how do I
get passwd(1) to write into that format? The exact methods for this depend
on your PAM stack and the available modules; you might be better off
asking the Fedora community (assuming they provided you with this
"authconfig" command) or the provider(s) of your PAM module(s) and/or your
passwd(1) command.

The command wasn't provided by the community, I was just exploringdifferent options to configure the autentication on client side (in anscriptable way) and found this binary that changes all config filesinstead of editing them all one by one.

But sure I can ask them.

Thanks a lot!
j
--
Judith Flo Gaya
Systems Administrator IMPPC
e-mail: jflo@imppc.org
Tel (+34) 93 554-3079
Fax (+34) 93 465-1472

Institut de Medicina Predictiva i Personalitzada del Càncer
Crta Can Ruti, Camí de les Escoles s/n
08916 Badalona, Barcelona,
Spain
http://www.imppc.org

Follow-Ups:
- Re: fedora and openldap
  - From: harry.jede@arcor.de

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: Strange log entries
Next by Date: access control for opattrs (memberof overlay)
Index(es):
- Chronological
- Thread