Re: LDIF case sensitivity, login_ldap

[Martijn van Duren]

On Thu, 2022-06-09 at 07:48 +, Stuart Henderson wrote:
> On 2022-06-09, David Diggles  wrote:
> > I've just got ldap login working on OpenBSD/7.1 with accounts stored 
> > locally in ldapd and using ypldap.
> > 
> > I just thought I'd share something so anyone reading this may save 
> > wasting the time that I wasted :-)
> > 
> > Your LDIF entry that you read into ldap must be as follows for 
> > userPassword
> > 
> > userPassword: {CRYPT}${ENCRYPTED_PASSWD}
> > 
> > ie uppercase CRYPT - I was stuffing around for ages with trying to 
> > understand why login_ldap was failing to bind because I had {crypt} in 
> > lowercase.
> 
> Perhaps it would make sense for ldapd to support {crypt} as well..

No personal preference, but seems easy enough at first glance.
Only compile-tested though...

martijn@

Index: auth.c
===
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -r1.14 auth.c
--- auth.c  24 Oct 2019 12:39:26 -  1.14
+++ auth.c  9 Jun 2022 11:23:06 -
@@ -220,7 +220,7 @@ check_password(struct request *req, cons
if (stored_passwd == NULL)
return -1;
 
-   if (strncmp(stored_passwd, "{SHA}", 5) == 0) {
+   if (strncasecmp(stored_passwd, "{SHA}", 5) == 0) {
sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp));
if (sz != SHA_DIGEST_LENGTH)
return (-1);
@@ -228,7 +228,7 @@ check_password(struct request *req, cons
SHA1_Update(&ctx, passwd, strlen(passwd));
SHA1_Final(md, &ctx);
return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
-   } else if (strncmp(stored_passwd, "{SSHA}", 6) == 0) {
+   } else if (strncasecmp(stored_passwd, "{SSHA}", 6) == 0) {
sz = b64_pton(stored_passwd + 6, tmp, sizeof(tmp));
if (sz <= SHA_DIGEST_LENGTH)
return (-1);
@@ -238,12 +238,12 @@ check_password(struct request *req, cons
SHA1_Update(&ctx, salt, sz - SHA_DIGEST_LENGTH);
SHA1_Final(md, &ctx);
return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
-   } else if (strncmp(stored_passwd, "{CRYPT}", 7) == 0) {
+   } else if (strncasecmp(stored_passwd, "{CRYPT}", 7) == 0) {
encpw = crypt(passwd, stored_passwd + 7);
if (encpw == NULL)
return (-1);
return (strcmp(encpw, stored_passwd + 7) == 0 ? 1 : 0);
-   } else if (strncmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
+   } else if (strncasecmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
if (send_auth_request(req, stored_passwd + 9, passwd) == -1)
return (-1);
return 2;   /* Operation in progress. */

Re: LDIF case sensitivity, login_ldap

[Stuart Henderson]

On 2022-06-09, David Diggles  wrote:
> I've just got ldap login working on OpenBSD/7.1 with accounts stored 
> locally in ldapd and using ypldap.
>
> I just thought I'd share something so anyone reading this may save 
> wasting the time that I wasted :-)
>
> Your LDIF entry that you read into ldap must be as follows for 
> userPassword
>
> userPassword: {CRYPT}${ENCRYPTED_PASSWD}
>
> ie uppercase CRYPT - I was stuffing around for ages with trying to 
> understand why login_ldap was failing to bind because I had {crypt} in 
> lowercase.

Perhaps it would make sense for ldapd to support {crypt} as well..

> If you search the interwebs you'll find many complicated examples for 
> the ldap class in login.conf but the following worked fine for this 
> local setup:
>
> # /etc/login.conf.d/ldap
>
> ldap:\
>  :auth=ldap:\
>   :x-ldap-uscope=subtree:\
>  :tc=default:

"auth=ldap" (rather than "auth=-ldap") suggests you're using login_ldap
from the base OS, but that uses /etc/login_ldap.conf for settings so
presence of x-ldap-uscope suggests you're using login_ldap from ports.

The ports version has been left around partly because configuration is
different and it would suck if you can't login to fix it, and partly in
case anyone was actually needing the features that were dropped when it
was rewritten for the base OS.

It would be a good idea to use the base OS version as there's less risk
of it getting out of sync following uodates. And if you used the ports
one and *copied* it over /usr/libexec/auth/login_ldap you definitely
want to fix that.