On 12/16/12 12:04 +0100, DavidHornung wrote:
I have to say thank you! I changed in the table ldap_attr_mappings the value of userPassword from persons.password
to text('{CRYPT}'||persons.password)
Now I am able to auth again the salted MD5 passwords!
One further question: I tried to use blowfish UPDATE persons SET password = crypt('secret', gen_salt('bf')); instead of md5 UPDATE persons SET password = crypt('secret', gen_salt('bf'));
but i could not authenticate, what could be the problem?
Check your local manpage for crypt(3) to see if blowfish is supported on your system, and that the ID matches the postgresql output.
Yes, it gives
ID | Method
1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)
and the 2a is also given back from postgresql crypt
When using the '{CRYPT}' identifier, you're telling slapd to make a 'crypt' system call to verify the hash. If that is failing for blowfish (but working for md5), that indicates that your problem is likely with how glibc was compiled on your system.
Check with your distribution's glibc maintainer to verify they have included blowfish support (for the crypt call).
openldap-technical@openldap.org