The below text is from http://www.openldap.org/faq/data/cache/185.html =========================================== Note about OpenSSL and crypt(): Current releases of OpenSSL (up to 0.9.6e at the time of this writing) include a crypt() function in the OpenSSL crypto library. This function implements the traditional 56-bit DES crypt() password algorithm. On most Unix systems, the OpenSSL version of crypt() is not needed since crypt() is usually a standard part of the Unix C libraries. Newer Unix systems also support other password hash algorithms including MD5 and DES-based hashing with longer than 8 significant password characters. On these platforms, the OpenSSL crypt() function should not be used because it will not support these newer hash algorithms, and so it will be incompatible with the hashes generated by the platform's native tools. Unfortunately the OpenSSL crypt() function is compiled by default when OpenSSL is built, even though it is not needed (and frequently not useful) on most Unix platforms. Furthermore, when OpenLDAP is built with OpenSSL, the OpenSSL libraries will be linked before the native system's C libraries, so the native version will not be used. This situation causes lots of problems when trying to use the natively generated password hashes with OpenLDAP. The solution is to rebuild the OpenSSL crypto library, with the crypt() function commented out or otherwise disabled. This function is in crypto/des/fcrypt.c in the OpenSSL source. After it is removed and the crypto library is rebuilt, OpenLDAP will be able to use the OpenSSL library without any further problems. If you're using dynamic/shared libraries, simply reinstalling libcrypto will be enough to fix the problems. Otherwise you'll need to relink the OpenLDAP binaries to get the correct behavior. ====================================================== Gentoo's implementation of OpenSSL is affected by this. I've got a patch and an new ebuild to solve this problem. I will attach them to this bug. -Jason
Created attachment 4222 [details, diff] This patch will make it so OpenSSL with use the GLIBC crypt() function instead of its own. The patch makes it so OpenSSL uses the native (glibc) crypt() fuction instead of the crypt function OpenSSL implements. Note that this was already being don for freebsd, next, and darwin in the stock code from openssl, why they didn't do it for Linux systems is beyond me. I've also read they will make this change in the 0.9.7 release.
Created attachment 4223 [details] The modified ebuild that will implement the patch. This modified ebuild implements the patch attached to this bug. I've tested it on a 1.2 (gcc 2.95) and a 1.4 (gcc 3.2) it works on both. -Jason
this says 'up to 0.9.6e' ... does this mean 'up to and including' or 'everything before' ? because if its the 2nd one, then we dont really need this patch since portage only has 0.9.6e and 0.9.6g in it atm ...
I got that from a bug report on openldap.org. 0.9.6e was what was currently available when that was written. The patch provided is still needed as of 0.9.6g. I know because I was affected by the problem and create the patch/ebuild to fix the problem against 0.9.6g. -Jason
Updated, thanks for pointing this out.
