Hi, I'm have trouble trying to get a ldap client be authenicated by the the ldap server. I think the problem is that I might have the hash scheme configured wrongly or something like that. I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear" in the ldap.conf and password-hash as {MD5} in slapd.conf. Am I safe to assume that with these settings, it means that the client will be sent the passwords over the server as clear text and the server will hash it to MD5 before checking against its stored password list? If it is not the case, then how should I configure the client and server to be the case?
Thanks, Vinh
On Friday 01 February 2008 17:18:28 Vinh.CTR.Hoang@faa.gov wrote:
Hi, I'm have trouble trying to get a ldap client be authenicated by the the ldap server. I think the problem is that I might have the hash scheme configured wrongly or something like that. I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear" in the ldap.conf
Which ldap.conf? Solaris doesn't have an ldap.conf by default, so is this nss_ldap or PADL's pam_ldap's ldap.conf, or is this OpenLDAP's ldap.conf.
and password-hash as {MD5} in slapd.conf.
Both of these settings only apply to password changes (assuming ldap.conf is pam_ldap's ldap.conf). This is covered in the documentation for each piece of software.
Am I safe to assume that with these settings, it means that the client will be sent the passwords over the server as clear text and the server will hash it to MD5 before checking against its stored password list?
In the case of a simple bind, the password is always sent in the clear. The password will typically be validated against the contents of the userPassword attribute for the DN in question, using the password scheme identifier that precedes that password hash. As such, the password hash type typically can't be configured incorrectly, as it is stored with the password hash ...
If it is not the case, then how should I configure the client and server to be the case?
Regards, Buchan
Vinh.CTR.Hoang@faa.gov writes:
I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear" in the ldap.conf
There is no such option in OpenLDAP's ldap.conf. Maybe you are using a Solaris client, you'll have to see what that keyword means there.
However...
and password-hash as {MD5} in slapd.conf.
This is not related to authentication. See man slapd.conf: it means that when you modify the password with the Password Modify extended operation (e.g. OpenLDAP client ldappasswd) then slapd will hash the new password and store it as "{MD5}<md5-hash>".
Am I safe to assume that with these settings, it means that the client will be sent the passwords over the server as clear text and the server will hash it to MD5 before checking against its stored password list? If it is not the case, then how should I configure the client and server to be the case?
The LDAP Simple Bind operation always send the password in the clear. The server checks it against the user's userPassword attribute. That attribute includes a "{hash algorithm}" prefix if it is hashed, so slapd can know how to compare.
If you've just taken MD5 hashes and stuffed them into OpenLDAP without an {MD5} prefix, that won't work. Also there are actually several kinds of MD5 hashes out there - e.g. a Unix crypt extension supports hashes which look something like "$1$...$....". In our server we store those with a "{CRYPT}" prefix since it is crypt() which handles that (on Linux). Then there are salted and unsalted MD5s - if you have salted, you should use "{SMD5}", not "{MD5}".
Thank you for the explaination. I guess the thing i don't fully understand is that I can do a ldapsearch with the base as my test user and the domain but I cannot log in using the same test user. And I also can view directory from a ldap browser using the test user. Is there something I'm missing.
Note: ldap.conf that I mention is the padl pam's ldap.conf file.
Thanks, Vinh
Hallvard B Furuseth h.b.furuseth@usit.uio.no Sent by: Hallvard Breien Furuseth h.b.furuseth@usit.uio.no 02/01/2008 10:49 AM
To Vinh CTR Hoang/ACT/CNTR/FAA@FAA cc openldap-technical@openldap.org Subject Re: password-hashing scheme
Vinh.CTR.Hoang@faa.gov writes:
I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear" in the ldap.conf
There is no such option in OpenLDAP's ldap.conf. Maybe you are using a Solaris client, you'll have to see what that keyword means there.
However...
and password-hash as {MD5} in slapd.conf.
This is not related to authentication. See man slapd.conf: it means that when you modify the password with the Password Modify extended operation (e.g. OpenLDAP client ldappasswd) then slapd will hash the new password and store it as "{MD5}<md5-hash>".
Am I safe to assume that with these settings, it means that the client will be sent the passwords over the server as clear text and the server will hash it to MD5 before checking against its stored password list? If it is not the case, then how should I configure the client and server to be the case?
The LDAP Simple Bind operation always send the password in the clear. The server checks it against the user's userPassword attribute. That attribute includes a "{hash algorithm}" prefix if it is hashed, so slapd can know how to compare.
If you've just taken MD5 hashes and stuffed them into OpenLDAP without an {MD5} prefix, that won't work. Also there are actually several kinds of MD5 hashes out there - e.g. a Unix crypt extension supports hashes which look something like "$1$...$....". In our server we store those with a "{CRYPT}" prefix since it is crypt() which handles that (on Linux). Then there are salted and unsalted MD5s - if you have salted, you should use "{SMD5}", not "{MD5}".
Ok I've turned on logging to 312 for slapd and tried to login using a test user. Now for both the username and password prompts I see activity in slapd log, but when I get the ldap password prompt I see no activity. Should I see activity in the log when the ldap client tried to authenticate itself?
Thanks, Vinh
Vinh.CTR.Hoang@faa.gov skrev, on 01-02-2008 21:10:
Ok I've turned on logging to 312 for slapd and tried to login using a test user. Now for both the username and password prompts I see activity in slapd log, but when I get the ldap password prompt I see no activity. Should I see activity in the log when the ldap client tried to authenticate
It's most likely that your ACLs are prohibiting whoever it is that's trying to bind (could be the user, could be anonymous, rootdn can always read everything) from accessing the password.
--Tonni
openldap-technical@openldap.org
-
Buchan Milne -
Hallvard B Furuseth -
Tony Earnshaw -
Vinh.CTR.Hoang@faa.gov