I have installed the ldapns.schema in my ubuntu 10.04 ldap server to enable host based authentication/filtering. I have some ubuntu 10.10 ldap clients that requires filtering. All my ldap users have passwords in crypt format that I have converted to an ldif file using the PADL migration.pl scripts. After importing them into my ldap server, the pam filtering wasn't working; however, when I changed the passwords from crypt to clear or md5 or sha1, filtering worked fine. The question is how can I get filtering to work with {CRYPT} password hashing?
cat /etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=web,dc=net
uri ldap://10.112.18.2 ldap_version 3 rootbinddn cn=admin,dc=web,dc=net bind_policy soft pam_filter |(host=webdev120)(host=*) nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
cat common-auth | grep -v ^# | grep -v ^$ auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so
cat common-account | grep -v ^# | grep -v ^$
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so
cat common-password | grep -v ^# | grep -v ^$
password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so
openldap-technical@openldap.org