Ok, I've found my solution! Thanks to by Ben Collins on the open ldap list
I was cured of my mistaken concept of what the {MD5} password scheme in
OpenLDAP is for. If you want to use /etc/shadow style 8 character salted
MD5 password hashes, don't use {MD5}, use {CRYPT} still, but put it in just
as it appears in the password file ( $1$abcdefgh$sadfsdfsfsadfsd... ), and
it just knows.
Maybe my finding this out the hard (and embarassing) way will help someone
else down the road.
Thanks
On Thu, Mar 27, 2003 at 10:42:47AM -0500, Joshua E Warchol wrote:
> I hope this hasn't been addressed too many times before - I've tried to check
> the list archives for answers and didn't find what I'm looking for.
>
> I've got a need to support users with cleartext, crypt and system md5
> passwords stored in LDAP (OpenLDAP). Right now I'm doing cleartext (eww)
> and crypt by setting LDAP_AUTHBIND to 1 and letting OpenLDAP deal with the
> password format. The crypted passwords have {CRYPT} prepended too them and
> OpenLDAP is happy with this.
>
> The time has come where I need to support MD5 passwords. These are in the
> 8 character salted version you might see in /etc/shadow. OpenLDAP supports
> salted MD5 password hashes, but only with 2 bytes of salt, as far as I can see.
> This would be the {SMD5} format in LDAP. Since I don't have that type of
> hash, using ldap binds to authenticate isn't going to work any more.
>
> I've used system type MD5 password hashes with Courier before (notably with
> MySQL) by having courier to the password comparison (LDAP_AUTHBIND 0). The
> problem here is then still supporting the cleartext passwords. Currently
> all my passwords accessed by LDAP_CRYPTPW via the userPassword attribute in
> LDAP. For Courier to understand the clear passwords, if I understand this
> properly, I would need to list them in LDAP_CLEARPW. Can both types be
> specified in the same configuration? What happens if either is missing, or
> of both exist?
>
> The only solution I see right now is to stick with LDAP_AUTHBIND 0, and take
> all my clear passwords and send them through either a system MD5 hash, or
> crypt.
>
> Comments and ideas?
>
> --
> Joshua Warchol
> UNIX Systems Administrator
> DSL.net
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:
> The Definitive IT and Networking Event. Be There!
> NetWorld+Interop Las Vegas 2003 -- Register today!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
> _______________________________________________
> courier-users mailing list
> [EMAIL PROTECTED]
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
--
Joshua Warchol
UNIX Systems Administrator
DSL.net
-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
