Greetings,
We are running OpenLDAP at our organization to do authentication for Linux machines. One strange thing I noticed is that I can bind to the server using my password, or *any* password that contains my actual password as a prefix. Let me explain with an example.
Suppose my password is "banana" (it's not). Then these passwords work to bind to the database: - banana - banana2 - bananafjksdfs
But these won't work: - mbanana - banan
I'm testing this with this command: ldapsearch -x -W -ZZ -H ldap://<server_address>.com \ -b dc=mydomain,dc=com \ -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \ '(uid=<my_uid>)'
Any ideas about why this happens? Thanks.
-- Chris
On Tue, Jan 26, 2010 at 2:17 PM, Christopher Kenna cjkenna@gmail.com wrote:
Greetings,
We are running OpenLDAP at our organization to do authentication for Linux machines. One strange thing I noticed is that I can bind to the server using my password, or *any* password that contains my actual password as a prefix. Let me explain with an example.
Suppose my password is "banana" (it's not). Then these passwords work to bind to the database:
- banana
- banana2
- bananafjksdfs
But these won't work:
- mbanana
- banan
I'm testing this with this command: ldapsearch -x -W -ZZ -H ldap://<server_address>.com \ -b dc=mydomain,dc=com \ -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \ '(uid=<my_uid>)'
Any ideas about why this happens? Thanks.
-- Chris
A buddy of mine once told me his company thought they were setting 1024 character passwords, but they were using des and only the first 8 characters were used.
It may be that your system is using des passwords
openldap-technical@openldap.org