I have two ldap servers:
1) on machine A, a tru64 platform with openldap-2.2.20 2) on machine B, a rhel4 platform with openldap-2.3.27
We are trying to migrate to the rhel4 machine with the more recent ldap. The problem is that sometimes the validation fails. Due to the number of failures of validation against the rhel4 machine, we set up a program that:
a) checks the encrypted password against the tru64 password file (the source) and against both ldap servers. Understand, this is comparing the encrypted password to see if they are the same. b) tries to validate against all three locations.
The strange thing is that a high number of instances, the encrypted password matches on all three locations, the password (via this test program) validates against the password file and the tru64 ldap, but fails to validate with err=49 (invalid credentials) against the rhel4 box. The best I can tell, it is random. Most work, but a high percentage fail. We rebuild both ldaps each night. I was building the tru64 one with ldapadd and the rhel4 with slapadd. I then switched to 'slapdd -q'. Still had the problems, although they seemed a little better, so last night I switch to ldapadd as in the rhel4 machine. I am not seeing some that are following this same patter, validate against the password file and tru64 ldap, but fail against the rhel4 ldap.
One other note, both ldaps are built from the same ldif files. Any ideas?
Thanks for any help!
One note I would like to add. If the password is reset the failures, then it works fine on both ldap servers and the password file. Thanks!
-----Original Message----- From: openldap-software-bounces+douglas=gpc.edu@openldap.org [mailto:openldap-software-bounces+douglas=gpc.edu@openldap.org] On Behalf Of Douglas B. Jones Sent: Wednesday, November 15, 2006 11:36 AM To: openldap-software@openldap.org Cc: douglas@gpc.edu Subject: password validation
I have two ldap servers:
1) on machine A, a tru64 platform with openldap-2.2.20 2) on machine B, a rhel4 platform with openldap-2.3.27
We are trying to migrate to the rhel4 machine with the more recent ldap. The problem is that sometimes the validation fails. Due to the number of failures of validation against the rhel4 machine, we set up a program that:
a) checks the encrypted password against the tru64 password file (the source) and against both ldap servers. Understand, this is comparing the encrypted password to see if they are the same. b) tries to validate against all three locations.
The strange thing is that a high number of instances, the encrypted password matches on all three locations, the password (via this test program) validates against the password file and the tru64 ldap, but fails to validate with err=49 (invalid credentials) against the rhel4 box. The best I can tell, it is random. Most work, but a high percentage fail. We rebuild both ldaps each night. I was building the tru64 one with ldapadd and the rhel4 with slapadd. I then switched to 'slapdd -q'. Still had the problems, although they seemed a little better, so last night I switch to ldapadd as in the rhel4 machine. I am not seeing some that are following this same patter, validate against the password file and tru64 ldap, but fail against the rhel4 ldap.
One other note, both ldaps are built from the same ldif files. Any ideas?
Thanks for any help!
At 08:36 AM 11/15/2006, Douglas B. Jones wrote:
b) tries to validate against all three locations.
Your assumption that a crypt(3) password generated on one system (or by one cyrpt(3) implementation) is verifiable by another is not generally valid. It is well known that crypt(3) behavior (whether by design or by bug) is implementation dependent and, hence, portability of crypt(3)'ed passwords limited. This is why use of {CRYPT} is generally discouraged and why {CRYPT} support is disabled by default in slapd(8).
This is discussed in the FAQ. http://www.openldap.org/faq/index.cgi?file=344http://www.openldap.org/faq/index.cgi?file=344
Kurt
Thanks you so much, I never knew this! Thanks for all the help!
-----Original Message----- From: openldap-software-bounces+douglas=gpc.edu@openldap.org [mailto:openldap-software-bounces+douglas=gpc.edu@openldap.org]On Behalf Of Kurt D. Zeilenga Sent: Monday, November 20, 2006 9:47 PM To: Douglas B. Jones Cc: douglas@gpc.edu; openldap-software@openldap.org Subject: Re: password validation
At 08:36 AM 11/15/2006, Douglas B. Jones wrote:
b) tries to validate against all three locations.
Your assumption that a crypt(3) password generated on one system (or by one cyrpt(3) implementation) is verifiable by another is not generally valid. It is well known that crypt(3) behavior (whether by design or by bug) is implementation dependent and, hence, portability of crypt(3)'ed passwords limited. This is why use of {CRYPT} is generally discouraged and why {CRYPT} support is disabled by default in slapd(8).
This is discussed in the FAQ. http://www.openldap.org/faq/index.cgi?file=344http://www.openldap.org/faq/index.cgi?file=344
Kurt
openldap-software@openldap.org
-
Douglas B. Jones -
Kurt D. Zeilenga