[PLUG] passwd hash when using openldap

Galen Seitz galens at seitzassoc.com
Thu Jun 26 23:21:03 UTC 2008


Wil Cooley wrote:
> On Mon, 2008-06-23 at 21:43 -0700, Galen Seitz wrote:
>> I've got a CentOS 5 machine running with openldap for authentication. 
>>   It's mostly working, but I'm puzzled as to why passwords are being 
>> saved in crypt form.  I used authconfig to select ldap and md5, yet 
>> when I use passwd to change a password the corresponding ldap entry 
>> looks like userPassword: {crypt}...  This is true regardless of 
>> whether root or a normal user changes the password.  Any ideas as to 
>> what I'm doing wrong?
> 
> Probably nothing. Are the first 3 letters of the crypted password '$1$'?
> If so, then it's using MD5 hashing rather than DES hashing (crypt(3)),
> just like it would if it were in /etc/shadow. This form is for
> compatibility with existing systems that already understand BSD-style
> MD5 hashes in the shadow NSS database. You get MD5-hashed passwords in
> both cases of '{crypt}$1$' and '{MD5}'.

You are correct.  I might have figured it out for myself had I be able 
to see the actual hash.  As I now know, the ldap userPassword value is 
base64 encoded.  For those who are interested, a disabled/invalid 
password entry might look like this:

userPassword:: e2NyeXB0fXg=

# echo -n e2NyeXB0fXg= | base64 -d
{crypt}x


thanks,
galen




More information about the PLUG mailing list