Results 1 to 5 of 5

Thread: [Pam_ldap] Password Problems

  1. #1
    Cronycs NNTP User

    Default [Pam_ldap] Password Problems

    Hello,

    I don't know where post my problem, so i put it here.

    I'm trying to authenticates an opensuse server against LDAP. I've already configure authentication against my OpenLDAP server on fedora, Suse Enterprise and Red hat and all work fine. But, on opensuse i meet a problem.

    I install pam_ldap, nss_ldap and openldap clients. Then i trie to configure it with yast (like on Suse) but when i tried "getent passwd" my users are not listed. So i change /etc/nsswitch.conf and put "passwd files ldap" and "shadow files ldap". Now when i tried "getent passwd/shadow" it's list my users.

    So, i tried to connect to my server with ssh, but it don't work, i look at /var/log/messages and i find the error "pam_ldap: error trying to bind as user.... (Invalid Credentials)"

    I know that this error is due that the user password isn't good. Y have try to contact my openldap server with :

    ldapsearch -x -D "my user dn" -W "my password"

    and it work.

    So i think that their is some missing packages on my opensuse to crypt/decrypt password.

    I used the crypt(3) method on my OpenLDAP server. I've put "pam_password crypt" in /etc/ldap.conf

    Do you know what package is used on opensuse for crypt(3) method ?

    Thanks in advance

    (sorry for my english)

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: [Pam_ldap] Password Problems

    I doubt that the system decrypts the password to check with the LDAP server. I don't think it's possible to decrypt because the hash algorithm is generally one way. In fact I'm pretty sure that the LDAP server doesn't store the original password. What happens is the client hashes the password with the selected algorithm and then sends it to the LDAP server for comparison. If the hashes match, the password is correct.

    There are variations on crypt. What you have to do is look at the type of hash used on the LDAP server and match that. This is specified in {} before the hash in the LDAP record. You may find that it's {md5crypt}, not {crypt}. In which case the pam_ldap module must use the same hash algorithm.

  3. #3
    Cronycs NNTP User

    Default Re: [Pam_ldap] Password Problems

    Quote Originally Posted by ken_yap View Post
    I doubt that the system decrypts the password to check with the LDAP server. I don't think it's possible to decrypt because the hash algorithm is generally one way. In fact I'm pretty sure that the LDAP server doesn't store the original password. What happens is the client hashes the password with the selected algorithm and then sends it to the LDAP server for comparison. If the hashes match, the password is correct.

    There are variations on crypt. What you have to do is look at the type of hash used on the LDAP server and match that. This is specified in {} before the hash in the LDAP record. You may find that it's {md5crypt}, not {crypt}. In which case the pam_ldap module must use the same hash algorithm.
    I am sure that on the LDAP server the type of hash is {crypt}. I put the information and crypt the passwords myself with "slappasswd -h '{crypt}'" function.

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: [Pam_ldap] Password Problems

    Well make whatever you will of it, but on a RHEL system I have access to, /etc/ldap.conf contains:

    pam_password md5

    It's authenticating to a Fedora Directory Server though, but I think it's the same setting for OpenLDAP.

  5. #5
    Cronycs NNTP User

    Default Re: [Pam_ldap] Password Problems

    Quote Originally Posted by ken_yap View Post
    Well make whatever you will of it, but on a RHEL system I have access to, /etc/ldap.conf contains:

    pam_password md5

    It's authenticating to a Fedora Directory Server though, but I think it's the same setting for OpenLDAP.
    Thanks for trying to help me ken_yap

    I have already make work the authentication against my openLDAP Server with "pam_password crypt".

    I am pretty sure i have encounter the same problem previously and resolve it by remove a 32 bits package that make conflicts.. but i don't remember the name of this package.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •