LDAP problem
Alain Williams
addw at phcomp.co.uk
Thu Dec 15 19:59:48 EST 2005
Summary: passwords with openldap 2.0 don't seem to work with openldap 2.2
I am migrating 9,000 users onto bigger hardware, two machines, etc.
User authentication is sasl with the info held in an openldap database.
After looong digging I find that the reason that users cannot login to imap
is down to the password in ldap somehow being wrong.
Old machine: openldap2-2.0.23 SUSE: Sles8
New machine: openldap2-2.2.6 SUSE: Sles9
The user information has been carried across in an ldif file.
The schema can't quite carry over since openldap 2.2 is more exacting than 2.0, so a few
fields I have to remove as I copied (users had 'objectClass: organization' & the such,
which the should not have).
I notice that /etc/openldap/schema/core.schema now (2.2) has commented out:
attributetype ( 2.5.4.35 NAME 'userPassword'
but if I comment it back in openldap complains of duplicate attributeType.
I think that that is a red herring.
Passwords are set via a php script, the relevant bit is:
$salt = pack("C2",(rand(0, 26)+65),(rand(0, 26)+65));
$md5pw = md5($password . $salt);
$bin = pack('H*', $md5pw);
$encpw = base64_encode($bin . $salt);
$mods['userPassword'] = '{smd5}' . $encpw; // $mods is the list of modifications
This works with openldap 2.0
The passwords that come out of ldapsearch look like:
userPassword:: e3NtZDV9eUgrTHd1UUJENXl3RTlRaUpQNXZYbFpE
(for password 'password')
If I try and authenticate with that user:
ldapsearch -LLL -b dc=example,dc=uk -D uid=testuser,dc=example,dc=uk -x -w password
it fails on the new system but works on the old one.
If (on the new system) I set the password on my testuser to (using slapadd):
userPassword:: cGFzc3dvcmQ=
(also for 'password') authentication works properly.
I can't remember how I generated the above string, it is set for the cyrus user.
I don't want 9,000 users to have to have their password reset.
/etc/ldap.conf is the same on both machines.
/etc/slapd.conf contains (on both machines)
password-hash {smd5}
syslog messages:
saslauthd[26685]: Authentication failed for testuser: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
saslauthd[26685]: do_auth : auth failure: [user=testuser] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
I am at a loss .... has anyone got any pointers please.
TIA
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20051216/d579e2b0/attachment.bin
More information about the Info-cyrus
mailing list