On Tuesday 03 April 2007, Rocky Zhou wrote:
Now I'm making the openldap and Kerberos working together, I have a question about the password the ldap used. The configuration file /usr/local/etc/openldap/slapd.conf has these lines: # rootpw secret rootpw {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ while the second line is generated by slappasswd, I tried to use: sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ' to import accounts info into the database, but it reports: ldap_bind: Invalid credentials (49)
If I use: rootpw secret sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f passwd.ldif -w 'secret', it works.
So why does the '{SSHA}' method failed?
Because a hashes are one-way.
It would be pointless if you could use the hash as a clear-text equivalent.
If you want strong authentication, don't use simple binds (thus, you need to end up removing rootpw).
Regards, Buchan