Thank you for the explaination.  I guess the thing i don't fully understand is that I can do a ldapsearch with
the base as my test user and the domain but I cannot log in using the same test user.  And I also can view
directory from a ldap browser using the test user.  Is there something I'm missing.

Note:  ldap.conf that I mention is the padl pam's ldap.conf file.


Hallvard B Furuseth <>
Sent by: Hallvard Breien Furuseth <>

02/01/2008 10:49 AM

Re: password-hashing scheme writes:
> I'm on solaris 9 with Openldap 2.3.35.  I have the password set as
> "clear" in the ldap.conf

There is no such option in OpenLDAP's ldap.conf.  Maybe you are using
a Solaris client, you'll have to see what that keyword means there.


> and password-hash as {MD5} in slapd.conf.

This is not related to authentication.  See man slapd.conf: it means
that when you modify the password with the Password Modify extended
operation (e.g. OpenLDAP client ldappasswd) then slapd will hash the new
password and store it as "{MD5}<md5-hash>".

> Am I safe to assume that with these settings, it means that the client
> will be sent the passwords over the server as clear text and the
> server will hash it to MD5 before checking against its stored password
> list? If it is not the case, then how should I configure the client
> and server to be the case?

The LDAP Simple Bind operation always send the password in the clear.
The server checks it against the user's userPassword attribute.  That
attribute includes a "{hash algorithm}" prefix if it is hashed, so slapd
can know how to compare.

If you've just taken MD5 hashes and stuffed them into OpenLDAP without
an {MD5} prefix, that won't work.  Also there are actually several kinds
of MD5 hashes out there - e.g. a Unix crypt extension supports hashes
which look something like "$1$...$....".  In our server we store those
with a "{CRYPT}" prefix since it is crypt() which handles that (on
Linux).  Then there are salted and unsalted MD5s - if you have salted,
you should use "{SMD5}", not "{MD5}".