I have installed the ldapns.schema in my ubuntu 10.04 ldap server to enable host based authentication/filtering. I have some ubuntu 10.10 ldap clients that requires filtering. All my ldap users have passwords in crypt format that I have converted to an ldif file using the PADL migration.pl scripts. After importing them into my ldap server, the pam filtering wasn't working; however, when I changed the passwords from crypt to clear or md5 or sha1, filtering worked fine. The question is how can I get filtering to work with {CRYPT} password hashing?
cat /etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=web,dc=net
uri ldap://10.112.18.2
ldap_version 3
rootbinddn cn=admin,dc=web,dc=net
bind_policy soft
pam_filter |(host=webdev120)(host=\*)
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
cat common-auth | grep -v ^# | grep -v ^$
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
cat common-account | grep -v ^# | grep -v ^$
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
cat common-password | grep -v ^# | grep -v ^$
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so