[PLUG] passwd hash when using openldap
Galen Seitz
galens at seitzassoc.com
Thu Jun 26 23:21:03 UTC 2008
Wil Cooley wrote:
> On Mon, 2008-06-23 at 21:43 -0700, Galen Seitz wrote:
>> I've got a CentOS 5 machine running with openldap for authentication.
>> It's mostly working, but I'm puzzled as to why passwords are being
>> saved in crypt form. I used authconfig to select ldap and md5, yet
>> when I use passwd to change a password the corresponding ldap entry
>> looks like userPassword: {crypt}... This is true regardless of
>> whether root or a normal user changes the password. Any ideas as to
>> what I'm doing wrong?
>
> Probably nothing. Are the first 3 letters of the crypted password '$1$'?
> If so, then it's using MD5 hashing rather than DES hashing (crypt(3)),
> just like it would if it were in /etc/shadow. This form is for
> compatibility with existing systems that already understand BSD-style
> MD5 hashes in the shadow NSS database. You get MD5-hashed passwords in
> both cases of '{crypt}$1$' and '{MD5}'.
You are correct. I might have figured it out for myself had I be able
to see the actual hash. As I now know, the ldap userPassword value is
base64 encoded. For those who are interested, a disabled/invalid
password entry might look like this:
userPassword:: e2NyeXB0fXg=
# echo -n e2NyeXB0fXg= | base64 -d
{crypt}x
thanks,
galen
More information about the PLUG
mailing list