Judith Flo Gaya wrote:
On 04/06/2011 02:44 PM, Aaron Richton wrote:
On Tue, 5 Apr 2011, Judith Flo Gaya wrote:
[with ldappasswd I get]
e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0=
[but with passwd I get]
e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA=
[after running]
authconfig --enableforcelegacy --disablecachecreds --enableldap --enableldapauth --ldapserver=172.19.5.13 --ldapbasedn=dc=linux,dc=imppc,dc=org --disableldaptls --disablefingerprint --disablewinbind --disablewins --disablesssd --disablesssdauth --disablenis --enablecache --enablelocauthorize --usemd5 --updateall
This command takes care of all the pam.d files, and considering that the ssh does work with the password set by the ldappasswd command, where is the problem?
I find those hard to read, so:
$ echo e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= | openssl enc -d -base64 {MD5}i27/v62xAo6b8GmvaGPx6w==
$ echo e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= | openssl enc -d -base64 {crypt}$1$DuT3b0KP$MF6d9Pj8axRAztEoU45T40
sorry, i should have provide them
So, with ldappasswd you're getting MD5 userPassword values (and you seem to be happy with that), but with passwd you're getting crypt userPassword values (which are not using the MD5 scheme you seem to be happy with).
With that in mind, I'd propose the command that "takes care of all the pam.d files" might not be as complete as you hoped. I'd check the "password" pam stack and make sure that it's configured to generate MD5 passwords or, much better yet, use the LDAP Password Modify operation just as your ldappasswd invocation does.
I did tried to add the md5 variable in the pam stack but unsuccessfully,
No, no, $1$ at the beginnig of the password hash indicates, crypt's implementation of md5. And this has nothing to do with MD5 hashes,
I also tried to change the authconfig command to generate md5 passwords but they didn't fit the ones in the server.
A common misunderstanding,
From "man slappasswd"
-c crypt-salt-format Specify the format of the salt passed to crypt(3) when generat‐ ing {CRYPT} passwords. This string needs to be in sprintf(3) format and may include one (and only one) %s conversion. This conversion will be substituted with a string random characters from [A-Za-z0-9./]. For example, ’%.2s’ provides a two charac‐ ter salt and ’$1$%.8s’ tells some versions of crypt(3) to use an MD5 algorithm and provides 8 random characters of salt. The default is ’%s’, which provides 31 characters of salt.
If you set in slapd.conf: password-crypt-salt-format '$1$%.8s'
then the password is stored in crypt's md5 format.
But normaly that is not what you want. Even with md5 is crypt much weaker then ssha. Only if you have really old unices in your network you should use crypt.