On Thu, 2022-06-09 at 07:48 +, Stuart Henderson wrote:
> On 2022-06-09, David Diggles wrote:
> > I've just got ldap login working on OpenBSD/7.1 with accounts stored
> > locally in ldapd and using ypldap.
> >
> > I just thought I'd share something so anyone reading this may save
> > wasting the time that I wasted :-)
> >
> > Your LDIF entry that you read into ldap must be as follows for
> > userPassword
> >
> > userPassword: {CRYPT}${ENCRYPTED_PASSWD}
> >
> > ie uppercase CRYPT - I was stuffing around for ages with trying to
> > understand why login_ldap was failing to bind because I had {crypt} in
> > lowercase.
>
> Perhaps it would make sense for ldapd to support {crypt} as well..
No personal preference, but seems easy enough at first glance.
Only compile-tested though...
martijn@
Index: auth.c
===
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -r1.14 auth.c
--- auth.c 24 Oct 2019 12:39:26 - 1.14
+++ auth.c 9 Jun 2022 11:23:06 -
@@ -220,7 +220,7 @@ check_password(struct request *req, cons
if (stored_passwd == NULL)
return -1;
- if (strncmp(stored_passwd, "{SHA}", 5) == 0) {
+ if (strncasecmp(stored_passwd, "{SHA}", 5) == 0) {
sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp));
if (sz != SHA_DIGEST_LENGTH)
return (-1);
@@ -228,7 +228,7 @@ check_password(struct request *req, cons
SHA1_Update(&ctx, passwd, strlen(passwd));
SHA1_Final(md, &ctx);
return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
- } else if (strncmp(stored_passwd, "{SSHA}", 6) == 0) {
+ } else if (strncasecmp(stored_passwd, "{SSHA}", 6) == 0) {
sz = b64_pton(stored_passwd + 6, tmp, sizeof(tmp));
if (sz <= SHA_DIGEST_LENGTH)
return (-1);
@@ -238,12 +238,12 @@ check_password(struct request *req, cons
SHA1_Update(&ctx, salt, sz - SHA_DIGEST_LENGTH);
SHA1_Final(md, &ctx);
return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
- } else if (strncmp(stored_passwd, "{CRYPT}", 7) == 0) {
+ } else if (strncasecmp(stored_passwd, "{CRYPT}", 7) == 0) {
encpw = crypt(passwd, stored_passwd + 7);
if (encpw == NULL)
return (-1);
return (strcmp(encpw, stored_passwd + 7) == 0 ? 1 : 0);
- } else if (strncmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
+ } else if (strncasecmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
if (send_auth_request(req, stored_passwd + 9, passwd) == -1)
return (-1);
return 2; /* Operation in progress. */