Hello,
I am trying to change a password for ldap entry using ldappasswd -vx -D "cn=root,dc=test,dc=com" -w foobarr "uid=mariusp,ou=people,dc=test,dc=com" and reply I get is:
Result: Other (e.g., implementation specific) error (80) Additional info: password hash failed
I am running openldap on Solaris 10 latest on SPARC. It is in testing meaning there is nothing special about its configuration all defaults. Database has two entries just to play with.
I haven't bothered to compile it myself so just downloaded openldap 2.4.11 from sunfreeware.com with required prerequisits such as Berkeley DB, SASL, openssl etc.
Everything works fine except this weird problem which looks like a bug.
Password checking (binding) works fine if I manually change userPassword: attribute no matter what algorithm prefix I use be it SSHA, crypt or MD5. That tells me that it can succesfully check and run those algorithms however something breaks when it tries to change the password like it couldn't hash that supplied password.
Wondering if anyone exprienced similar problem and have any comments or findings.
Regards, /M.
Marius P. wrote:
I am trying to change a password for ldap entry using ldappasswd -vx -D "cn=root,dc=test,dc=com" -w foobarr "uid=mariusp,ou=people,dc=test,dc=com" and reply I get is:
Result: Other (e.g., implementation specific) error (80) Additional info: password hash failed
I am running openldap on Solaris 10 latest on SPARC. It is in testing meaning there is nothing special about its configuration all defaults. Database has two entries just to play with.
I haven't bothered to compile it myself so just downloaded openldap 2.4.11 from sunfreeware.com with required prerequisits such as Berkeley DB, SASL, openssl etc.
Everything works fine except this weird problem which looks like a bug.
Password checking (binding) works fine if I manually change userPassword: attribute no matter what algorithm prefix I use be it SSHA, crypt or MD5. That tells me that it can succesfully check and run those algorithms however something breaks when it tries to change the password like it couldn't hash that supplied password.
Wondering if anyone exprienced similar problem and have any comments or findings.
As far as I understand, that message could only appear if hashing failed inside the specific hashing mechanism call. Unfortunately, the failure reason depends on what hashing is being used. Can you tell what you set as "password-hash" in slapd.conf(5)? In case, I suggest you file an ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Thanks for comment, Pierangelo.
I did further testing and found out the following.
passord change using ldappasswd works if password-hash is set to CLEARTEXT, SHA and MD5. It doesn't work if it is set to SSHA, SMD5 and CRYPT or, in other words, non of the "salted" algorithms.
Interestingly, I took it further and compiled openldap myself and result is exactly the same. I wonder if that is problem with some ciphering libraries specific to Solaris.
What is an ITS that you suggest to file and where to file it?
Thanks
/M.
Pierangelo Masarati wrote:
Marius P. wrote:
I am trying to change a password for ldap entry using ldappasswd -vx -D "cn=root,dc=test,dc=com" -w foobarr "uid=mariusp,ou=people,dc=test,dc=com" and reply I get is:
Result: Other (e.g., implementation specific) error (80) Additional info: password hash failed
I am running openldap on Solaris 10 latest on SPARC. It is in testing meaning there is nothing special about its configuration all defaults. Database has two entries just to play with.
I haven't bothered to compile it myself so just downloaded openldap 2.4.11 from sunfreeware.com with required prerequisits such as Berkeley DB, SASL, openssl etc.
Everything works fine except this weird problem which looks like a bug.
Password checking (binding) works fine if I manually change userPassword: attribute no matter what algorithm prefix I use be it SSHA, crypt or MD5. That tells me that it can succesfully check and run those algorithms however something breaks when it tries to change the password like it couldn't hash that supplied password.
Wondering if anyone exprienced similar problem and have any comments or findings.
As far as I understand, that message could only appear if hashing failed inside the specific hashing mechanism call. Unfortunately, the failure reason depends on what hashing is being used. Can you tell what you set as "password-hash" in slapd.conf(5)? In case, I suggest you file an ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
Marius Paulauskas wrote:
I did further testing and found out the following.
passord change using ldappasswd works if password-hash is set to CLEARTEXT, SHA and MD5. It doesn't work if it is set to SSHA, SMD5 and CRYPT or, in other words, non of the "salted" algorithms.
Interestingly, I took it further and compiled openldap myself and result is exactly the same. I wonder if that is problem with some ciphering libraries specific to Solaris.
Did you build OpenLDAP with OpenSSL?
What is an ITS that you suggest to file and where to file it?
It's a ticket for an issue. See issue tracker here:
Ciao, Michael.
I did but against openssl I downloaded from sunfreeware.com.
in either case, openssl is required to run SSL/TLS. I don't think openssl is used for cryptography of passwords.
/M.
Michael Ströder wrote:
Marius Paulauskas wrote:
I did further testing and found out the following.
passord change using ldappasswd works if password-hash is set to CLEARTEXT, SHA and MD5. It doesn't work if it is set to SSHA, SMD5 and CRYPT or, in other words, non of the "salted" algorithms.
Interestingly, I took it further and compiled openldap myself and result is exactly the same. I wonder if that is problem with some ciphering libraries specific to Solaris.
Did you build OpenLDAP with OpenSSL?
What is an ITS that you suggest to file and where to file it?
It's a ticket for an issue. See issue tracker here:
Ciao, Michael.
openldap-technical@openldap.org
-
Marius P. -
Marius Paulauskas
-
Michael Ströder -
Pierangelo Masarati