[ILUG] Moving authentication to LDAP
Martin Feeney
martin at tuatha.org
Thu Jan 31 16:02:41 GMT 2002
On Thu, 31 Jan 2002 15:15:32 Mel wrote:
> > Try migrating the passwd file to an ldif. Edit the produced ldif and
> > substitute all instances of {crypt} with {md5}. Then import that ldif.
> Tried that already. both with base64 encoding and without. I still get
> invalid credentials when I try to bind as a user with the old login
> password
OK. I just did something similar. I left it as {crypt}, didn't bother
base64 encoding. Iadded the user to my ldap database (and removed it from
/etc/passwd) then I logged in with the old password just fine.
If the userPassword starts with $1$ then it's an md5, but setting the
scheme to {crypt} means ldap will use the crypt(3) function to compare
passwords - this recognises the $1$ as signifying md5 and the next 8
chars as the salt.
I've only installed libnss_ldap and changed nsswitch.conf to use ldap - I
can login directly and ssh to the machine verifying against ldap.
ldapsearch works for me, but without the need for a passphrase, or even
the binddn. Make sure you're using simple authentication (-x) or have
ldap set up correctly with TLS/SASL.
To give some examples (I don't have SASL set up yet):
$ ldapsearch -D "uid=mbf,..." -W
Enter LDAP password: <enter correct password"
ldap_sasl_interactive_bind_s: No such attribute
$ ldapsearch -D "uid=mbf,..." -W -x
Enter LDAP password: <enter correct password"
<big ldap database dump>
$ ldapsearch -D "uid=mbf,..." -W -x
Enter LDAP password: <enter incorrect password"
ldap_bind: Invalid credentials
$ ldapsearch -x
<big ldap database dump>
$ ldapsearch -D "uid=mbf,..." -x
<big ldap database dump>
I hope some of this helps.
Martin.
More information about the ILUG
mailing list