[Gllug] LDAP problem

Russell Howe rhowe at siksai.co.uk
Tue Dec 20 18:00:23 UTC 2005 

On Tue, Dec 20, 2005 at 11:59:23AM +0000, Alain Williams wrote:
> Hi,
> 
> Summary: passwords with openldap 2.0 don't seem to work with openldap 2.2
> 
> Old machine: openldap2-2.0.23	SUSE: Sles8
> New machine: openldap2-2.2.6	SUSE: Sles9
> 
> The user information has been carried across in an ldif file.
> 
> The schema can't quite carry over since openldap 2.2 is more exacting than 2.0
> 
> I notice that /etc/openldap/schema/core.schema now (2.2) has commented out:
> 	attributetype ( 2.5.4.35 NAME 'userPassword'
> but if I comment it back in openldap complains of duplicate attributeType.
> I think that that is a red herring.

Yes, probably. The newer versions of OpenLDAP have certain schema
definitions compiled in, and so they're commented out of the schema
files.

> Passwords are set via a php script, the relevant bit is:
> 	$salt =  pack("C2",(rand(0, 26)+65),(rand(0, 26)+65));
> 	$md5pw = md5($password . $salt);
> 	$bin = pack('H*', $md5pw);
> 	$encpw = base64_encode($bin . $salt);
> 	$mods['userPassword'] = '{smd5}' . $encpw;	// $mods is the list of modifications
> This works with openldap 2.0

No idea if that's correct or not... try using ldappasswd or
slappasswd...

> The passwords that come out of ldapsearch look like:
> 	userPassword:: e3NtZDV9eUgrTHd1UUJENXl3RTlRaUpQNXZYbFpE
> (for password 'password')

The '::' says "This value is base64-encoded"

echo e3NtZDV9eUgrTHd1UUJENXl3RTlRaUpQNXZYbFpE |openssl base64 -d

gives:

{smd5}yH+LwuQBD5ywE9QiJP5vXlZD

So, that's the value of your 'userPassword' attribute in a more
human-readable form.

> If I try and authenticate with that user:
> 	ldapsearch -LLL -b dc=example,dc=uk -D uid=testuser,dc=example,dc=uk -x -w password
> it fails on the new system but works on the old one.
> Failure message:
> 	ldap_bind: Invalid credentials (49)

What does the server say, if you run it with debugging turned on?

> If (on the new system) I set the password on my testuser to (using slapadd):
> 	userPassword:: cGFzc3dvcmQ=
> (also for 'password') authentication works properly.
> I can't remember how I generated the above string, it is set for the cyrus user.

echo cGFzc3dvcmQ |openssl base64 -d; echo

Gives nothing...

> /etc/ldap.conf is the same on both machines.
> 
> /etc/slapd.conf contains (on both machines)
> 	password-hash   {smd5}
> 
> 
> syslog messages:
> 	saslauthd[26685]: Authentication failed for testuser: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
> 	saslauthd[26685]: do_auth         : auth failure: [user=testuser] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
> 
> I am at a loss .... has anyone got any pointers please.

Maybe smd5 support isn't there any more, or it has stricter requirements
(padding bytes or something?)

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list