Re: LDAP authentication with PAM
>>>>> "Marc" == Marc Martinez <email@example.com> writes:
Marc> hmmm, I haven't examined the deb's for potato with TLS
Marc> support yet, but building my own for unstable recently I ran
Marc> into a problem with being unable to authenticate any of my
Marc> users with md5 hashed passwords. the problem turned out to
Ohhh.... Sounds suspiciously like my problem.
I have just realized that:
a) password generates cleartext passwords (how do I fix this?)
b) directory administrator generates MD5 passwords that cannot be used.
Initially I blamed this on directory administrator... :-(
Marc> be with libcrypto being linked in before libcrypt, and the
Marc> crypt() function being overridden without support for the
Marc> md5 hashes. after whacking out a quick c program to verify
Marc> my suspicion I went over all the Makefiles changing the
Marc> XXLIBS variable to include LUTIL_LIBS before SECURITY_LIBS
Marc> and everything worked fine.
I take it that libcrypto has its own crypt function that doesn't have
MD5 support? Why?
Anyway I cheated. I changed the SECURITY_LIB= line in build/top.mk to
have -lcrypt hard-coded in front.
(by cheat I mean: task a short cut that results in me having to
recompile openldap 10 times trying to work out why the problem still
hasn't gone away instead only once).
IT WORKS! AMAZING!
>> >ldapsearch -x -Duid=root,ou=People,dc=chocbit,dc=org,dc=au -W
>> uid=root Enter LDAP Password: ldap_bind: Can't contact LDAP
>> server additional info: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Marc> assuming you used netstat to verify that the server is
Marc> actually listening on port 636, did you generate a
Marc> certificate and add the TLSCertificate* options to the
Marc> slapd.conf file?
Ummm... No... That can't be important can it?
<evil grin>of course its not my fault</evil grin>.
Where can I find documentation on the appropriate options?
Brian May <firstname.lastname@example.org>