On Wed, Apr 22, 2009 at 09:56:51AM +0930, Ian wrote:
You also need to make sure that the new server was built with support for your chosen hash scheme. If using crypt passwords, this means adding the --enable-crypt flag to the initial 'configure' command.
Maybe that's where the problem lies. From what Michael said in his reply, the passwords are plain MD5 hashes. Perhaps I've build the new one with crypt support and it's trying to use that instead of straight MD5?
Unlikely. I don't think it is possible to disable the MD5 hash support.
Yes, that was the first thing I checked when I couldn't login. The hashes are exactly the same on both servers.
If I look at the encrypted password before and after resetting it, the password hashes are different, even though they are supposedly the same password.
This could be because a salt is added before generating the hash.
But then On Tue, Apr 21, 2009 at 04:43:51PM +0200, Michael Ströder wrote:
$ python -c "print 'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')" {md5}547qEjL5yQnfIp7aDAXd8w==
So this is a plain MD5-hashed password. This password scheme is *not*
... and the interesting thing there is that you are using a *non-salted* hash scheme. That means that a given password should always produce the same hash, yet you have found that resetting the password produces a different hash.
To diagnose this further I would use ldapsearch directly, rather than involving the Linux or FreeBSD nss_ldap client. Something like this:
ldapsearch -x -H ldap://oldserver/ -D <user account DN> -w <password> \ -b '' -s base '(objectclass=*)'
Try the same account on the old and the new server, having made sure that the password hashes for that account are identical. Run both ldapsearch commands from the same window on the same machine. If one server accepts the search and the other one does not then you have a good test case.
One area that might be worth checking is character sets. If your test password has any non-ASCII characters then success may be dependent on the default character set of the client machine (which is why I said to use the same window for both tests above).
If you still get different results for your old and new servers then I would start to suspect a bug in the MD5 implementation, though this is very unlikely as OpenLDAP has its own copy of MD5 which has not changed since July 2000:
http://www.openldap.org/devel/cvsweb.cgi/libraries/liblutil/md5.c.diff?r1=1....
Andrew