On Wed, 15 Feb 2012 16:35:38 +0200, Szilard Gyorgy wrote:
Hi Hallvard
I use the compare tool just for testing
The problem is when I try to login to my Cisco router (using ldap) I got compare false error message. After that I tested the same password with this tool and I got the same result.
That's working as intended.
If I give the same password what i used to login why not working ? Ok is different encryption - how can I change it ?
The Bind operation treats the userPassword attribute specially and pays attention to encryption, while the Compare operation just considers userPassword an ordinary attribute and compares it as-is. For Compare to work, you must store the cleartext password with ldapmodify. However slapd might be configured so Bind does not support cleartext userPassword...
BTW, also note that tools like ldapsearch displays the password base64-encoded. The '::' after the attribute name indicates this. That's a client-side matter, but might add some extra confusion.
PS: I need to have the compare function working with clear text password - if not working with the own ldap compare tool I can't expect that will work with the router.
I hope you are testing the wrong thing. I don't know do why you can't expect that, it is working as specified after all. But then, I don't know how your router uses LDAP. You can hide userPassword with access controls so people only can compare and Bind, but not read it. But it's better if the password can never be read. In which case it also there is also no need to store it in cleartext.