Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 83995

Summary: slapd don't accept encrypted passwords, it just reply : 'ldap_bind: Invalid credentials (49)'
Product: Gentoo Linux Reporter: gessy <gessyjr>
Component: [OLD] UnspecifiedAssignee: Robin Johnson <robbat2>
Status: RESOLVED INVALID    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description gessy 2005-03-03 13:16:36 UTC
I have installed my system with kerberos authentication, when I emerged openldap, the slapd cannot accept encrypted password and I tried many kinds of encryption support.
PS.: the command 'ldapsearch' and 'ldapsearch -x' works in the same way and 'ldapsearch' should return an error due to encrypted password. If I use clear text password in rootpw and userPassword attribute everything works fine.

Reproducible: Always
Steps to Reproduce:
1.emerge pam_krb5 nss_ldap pam_ldap
2.emerge openldap
3.configure /etc/openldap/slapd.conf (rootpw {MD5}Password ) and do authenticated     search with ldapsearch -x -D"cn=manager,dc=mydomain,dc=com" -W

Actual Results:  
in the stderr: ldap_bind: Invalid credentials (49)
and in the slapd.log: slapd[22558]: conn=1 op=0 RESULT tag=97 err=49 text


Expected Results:  
The software Openldap should accept encrypted passwords in the slapd.conf and in
the attribute userPassword, performing search in the database.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-03 21:50:48 UTC
please attach your slapd.conf, and emerge info output.

As a test, put this in your slapd.conf:
rootpw          {SSHA}t9uHfJ6OwNI5DQXR8gQ7CYBmP+Q9NL5R

(it's the hash of 'research')

also specify what version of openldap you have installed.
Comment 2 gessy 2005-03-04 04:46:06 UTC
I have used openldap-2.1.30-r2 and I realized that I have this problem when I use the command 'slappasswd -T file' putting the output in the slapd.conf. But when I use just 'slappasswd -s pasword'  everything works fine. It makes sense?
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-04 15:21:47 UTC
yup, you hashed an entire file to generate a password.
after that it's really hard to enter the password directly to match ;-).