LDAP problem

Alain Williams addw at phcomp.co.uk
Thu Dec 15 19:59:48 EST 2005

Summary: passwords with openldap 2.0 don't seem to work with openldap 2.2

I am migrating 9,000 users onto bigger hardware, two machines, etc.
User authentication is sasl with the info held in an openldap database.
After looong digging I find that the reason that users cannot login to imap
is down to the password in ldap somehow being wrong.

Old machine: openldap2-2.0.23	SUSE: Sles8
New machine: openldap2-2.2.6	SUSE: Sles9

The user information has been carried across in an ldif file.

The schema can't quite carry over since openldap 2.2 is more exacting than 2.0, so a few
fields I have to remove as I copied (users had 'objectClass: organization' & the such,
which the should not have).

I notice that /etc/openldap/schema/core.schema now (2.2) has commented out:
	attributetype ( NAME 'userPassword'
but if I comment it back in openldap complains of duplicate attributeType.
I think that that is a red herring.

Passwords are set via a php script, the relevant bit is:
	$salt =  pack("C2",(rand(0, 26)+65),(rand(0, 26)+65));
	$md5pw = md5($password . $salt);
	$bin = pack('H*', $md5pw);
	$encpw = base64_encode($bin . $salt);
	$mods['userPassword'] = '{smd5}' . $encpw;	// $mods is the list of modifications
This works with openldap 2.0

The passwords that come out of ldapsearch look like:
	userPassword:: e3NtZDV9eUgrTHd1UUJENXl3RTlRaUpQNXZYbFpE
(for password 'password')

If I try and authenticate with that user:
	ldapsearch -LLL -b dc=example,dc=uk -D uid=testuser,dc=example,dc=uk -x -w password
it fails on the new system but works on the old one.

If (on the new system) I set the password on my testuser to (using slapadd):
	userPassword:: cGFzc3dvcmQ=
(also for 'password') authentication works properly.
I can't remember how I generated the above string, it is set for the cyrus user.

I don't want 9,000 users to have to have their password reset.

/etc/ldap.conf is the same on both machines.

/etc/slapd.conf contains (on both machines)
	password-hash   {smd5}

syslog messages:
	saslauthd[26685]: Authentication failed for testuser: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
	saslauthd[26685]: do_auth         : auth failure: [user=testuser] [service=imap] [realm=] [mech=ldap] [reason=Unknown]

I am at a loss .... has anyone got any pointers please.


Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/

#include <std_disclaimer.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20051216/d579e2b0/attachment.bin

More information about the Info-cyrus mailing list