[moved from misc to tech]
On 2022/06/09 13:26, Martijn van Duren wrote:
> On Thu, 2022-06-09 at 07:48 +0000, Stuart Henderson wrote:
> > On 2022-06-09, David Diggles <[email protected]> wrote:
> > > I've just got ldap login working on OpenBSD/7.1 with accounts stored
> > > locally in ldapd and using ypldap.
> > >
> > > I just thought I'd share something so anyone reading this may save
> > > wasting the time that I wasted :-)
> > >
> > > Your LDIF entry that you read into ldap must be as follows for
> > > userPassword
> > >
> > > userPassword: {CRYPT}${ENCRYPTED_PASSWD}
> > >
> > > ie uppercase CRYPT - I was stuffing around for ages with trying to
> > > understand why login_ldap was failing to bind because I had {crypt} in
> > > lowercase.
> >
> > Perhaps it would make sense for ldapd to support {crypt} as well..
>
> No personal preference, but seems easy enough at first glance.
> Only compile-tested though...
>
> martijn@
I'm not using ldapd myself (I want replication so I'm using OpenLDAP)
but I think this is the way to go. OpenLDAP works with upper- or lower-case.
RFC2307 uses lower-case for the scheme names.
FWIW OK sthen@
The only downside I can see is that if a user's password is *not*
encrypted and starts with {crypt}, {ssha}, etc there will be a conflict.
But it already exists for the upper-case version and it seems unlikely
to be a problem in real world use.
> Index: auth.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 auth.c
> --- auth.c 24 Oct 2019 12:39:26 -0000 1.14
> +++ auth.c 9 Jun 2022 11:23:06 -0000
> @@ -220,7 +220,7 @@ check_password(struct request *req, cons
> if (stored_passwd == NULL)
> return -1;
>
> - if (strncmp(stored_passwd, "{SHA}", 5) == 0) {
> + if (strncasecmp(stored_passwd, "{SHA}", 5) == 0) {
> sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp));
> if (sz != SHA_DIGEST_LENGTH)
> return (-1);
> @@ -228,7 +228,7 @@ check_password(struct request *req, cons
> SHA1_Update(&ctx, passwd, strlen(passwd));
> SHA1_Final(md, &ctx);
> return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
> - } else if (strncmp(stored_passwd, "{SSHA}", 6) == 0) {
> + } else if (strncasecmp(stored_passwd, "{SSHA}", 6) == 0) {
> sz = b64_pton(stored_passwd + 6, tmp, sizeof(tmp));
> if (sz <= SHA_DIGEST_LENGTH)
> return (-1);
> @@ -238,12 +238,12 @@ check_password(struct request *req, cons
> SHA1_Update(&ctx, salt, sz - SHA_DIGEST_LENGTH);
> SHA1_Final(md, &ctx);
> return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
> - } else if (strncmp(stored_passwd, "{CRYPT}", 7) == 0) {
> + } else if (strncasecmp(stored_passwd, "{CRYPT}", 7) == 0) {
> encpw = crypt(passwd, stored_passwd + 7);
> if (encpw == NULL)
> return (-1);
> return (strcmp(encpw, stored_passwd + 7) == 0 ? 1 : 0);
> - } else if (strncmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
> + } else if (strncasecmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
> if (send_auth_request(req, stored_passwd + 9, passwd) == -1)
> return (-1);
> return 2; /* Operation in progress. */
>
