Thank you for the explaination. I guess the thing i don't fully understand is that I can do a ldapsearch with the base as my test user and the domain but I cannot log in using the same test user. And I also can view directory from a ldap browser using the test user. Is there something I'm missing.
Note: ldap.conf that I mention is the padl pam's ldap.conf file.
Thanks, Vinh
Hallvard B Furuseth h.b.furuseth@usit.uio.no Sent by: Hallvard Breien Furuseth h.b.furuseth@usit.uio.no 02/01/2008 10:49 AM
To Vinh CTR Hoang/ACT/CNTR/FAA@FAA cc openldap-technical@openldap.org Subject Re: password-hashing scheme
Vinh.CTR.Hoang@faa.gov writes:
I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear" in the ldap.conf
There is no such option in OpenLDAP's ldap.conf. Maybe you are using a Solaris client, you'll have to see what that keyword means there.
However...
and password-hash as {MD5} in slapd.conf.
This is not related to authentication. See man slapd.conf: it means that when you modify the password with the Password Modify extended operation (e.g. OpenLDAP client ldappasswd) then slapd will hash the new password and store it as "{MD5}<md5-hash>".
Am I safe to assume that with these settings, it means that the client will be sent the passwords over the server as clear text and the server will hash it to MD5 before checking against its stored password list? If it is not the case, then how should I configure the client and server to be the case?
The LDAP Simple Bind operation always send the password in the clear. The server checks it against the user's userPassword attribute. That attribute includes a "{hash algorithm}" prefix if it is hashed, so slapd can know how to compare.
If you've just taken MD5 hashes and stuffed them into OpenLDAP without an {MD5} prefix, that won't work. Also there are actually several kinds of MD5 hashes out there - e.g. a Unix crypt extension supports hashes which look something like "$1$...$....". In our server we store those with a "{CRYPT}" prefix since it is crypt() which handles that (on Linux). Then there are salted and unsalted MD5s - if you have salted, you should use "{SMD5}", not "{MD5}".