[moved from misc to tech] On 2022/06/09 13:26, Martijn van Duren wrote: > On Thu, 2022-06-09 at 07:48 +0000, Stuart Henderson wrote: > > On 2022-06-09, David Diggles <da...@elven.com.au> wrote: > > > I've just got ldap login working on OpenBSD/7.1 with accounts stored > > > locally in ldapd and using ypldap. > > > > > > I just thought I'd share something so anyone reading this may save > > > wasting the time that I wasted :-) > > > > > > Your LDIF entry that you read into ldap must be as follows for > > > userPassword > > > > > > userPassword: {CRYPT}${ENCRYPTED_PASSWD} > > > > > > ie uppercase CRYPT - I was stuffing around for ages with trying to > > > understand why login_ldap was failing to bind because I had {crypt} in > > > lowercase. > > > > Perhaps it would make sense for ldapd to support {crypt} as well.. > > No personal preference, but seems easy enough at first glance. > Only compile-tested though... > > martijn@
I'm not using ldapd myself (I want replication so I'm using OpenLDAP) but I think this is the way to go. OpenLDAP works with upper- or lower-case. RFC2307 uses lower-case for the scheme names. FWIW OK sthen@ The only downside I can see is that if a user's password is *not* encrypted and starts with {crypt}, {ssha}, etc there will be a conflict. But it already exists for the upper-case version and it seems unlikely to be a problem in real world use. > Index: auth.c > =================================================================== > RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v > retrieving revision 1.14 > diff -u -p -r1.14 auth.c > --- auth.c 24 Oct 2019 12:39:26 -0000 1.14 > +++ auth.c 9 Jun 2022 11:23:06 -0000 > @@ -220,7 +220,7 @@ check_password(struct request *req, cons > if (stored_passwd == NULL) > return -1; > > - if (strncmp(stored_passwd, "{SHA}", 5) == 0) { > + if (strncasecmp(stored_passwd, "{SHA}", 5) == 0) { > sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp)); > if (sz != SHA_DIGEST_LENGTH) > return (-1); > @@ -228,7 +228,7 @@ check_password(struct request *req, cons > SHA1_Update(&ctx, passwd, strlen(passwd)); > SHA1_Final(md, &ctx); > return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0); > - } else if (strncmp(stored_passwd, "{SSHA}", 6) == 0) { > + } else if (strncasecmp(stored_passwd, "{SSHA}", 6) == 0) { > sz = b64_pton(stored_passwd + 6, tmp, sizeof(tmp)); > if (sz <= SHA_DIGEST_LENGTH) > return (-1); > @@ -238,12 +238,12 @@ check_password(struct request *req, cons > SHA1_Update(&ctx, salt, sz - SHA_DIGEST_LENGTH); > SHA1_Final(md, &ctx); > return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0); > - } else if (strncmp(stored_passwd, "{CRYPT}", 7) == 0) { > + } else if (strncasecmp(stored_passwd, "{CRYPT}", 7) == 0) { > encpw = crypt(passwd, stored_passwd + 7); > if (encpw == NULL) > return (-1); > return (strcmp(encpw, stored_passwd + 7) == 0 ? 1 : 0); > - } else if (strncmp(stored_passwd, "{BSDAUTH}", 9) == 0) { > + } else if (strncasecmp(stored_passwd, "{BSDAUTH}", 9) == 0) { > if (send_auth_request(req, stored_passwd + 9, passwd) == -1) > return (-1); > return 2; /* Operation in progress. */ >