Re: LDAP authentication with PAM

[Marc Martinez <lastxit@technogeeks.org>]

On Fri, Apr 13, 2001 at 02:00:03PM +1000, Brian May wrote:
> 
> 6. change root's password, and everything is OK again.
> 
> So it seems that LDAP, at least the version advertised here will
> replace your root password when being installed. Arrgghh!

hmmm, I haven't examined the deb's for potato with TLS support yet,
but building my own for unstable recently I ran into a problem with
being unable to authenticate any of my users with md5 hashed
passwords.  the problem turned out to be with libcrypto being linked
in before libcrypt, and the crypt() function being overridden without
support for the md5 hashes.  after whacking out a quick c program to
verify my suspicion I went over all the Makefiles changing the XXLIBS
variable to include LUTIL_LIBS before SECURITY_LIBS and everything
worked fine.

> >ldapsearch -x -Duid=root,ou=People,dc=chocbit,dc=org,dc=au -W uid=root
> Enter LDAP Password: 
> ldap_bind: Can't contact LDAP server
> 	additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

assuming you used netstat to verify that the server is actually
listening on port 636, did you generate a certificate and add the
TLSCertificate* options to the slapd.conf file?

> (oh, this time when I downgraded openldap the root password remained
> OK, so don't know what happened before...)

that would be because when you re-created it the has used was DES
which both libraries will support just fine.

hope this helps..

Marc