LDAP problem

Alain Williams Thu, 15 Dec 2005 17:09:13 -0800

Summary: passwords with openldap 2.0 don't seem to work with openldap 2.2

I am migrating 9,000 users onto bigger hardware, two machines, etc.
User authentication is sasl with the info held in an openldap database.
After looong digging I find that the reason that users cannot login to imap
is down to the password in ldap somehow being wrong.


Old machine: openldap2-2.0.23   SUSE: Sles8
New machine: openldap2-2.2.6    SUSE: Sles9

The user information has been carried across in an ldif file.

The schema can't quite carry over since openldap 2.2 is more exacting than 2.0, 
so a few
fields I have to remove as I copied (users had 'objectClass: organization' & 
the such,
which the should not have).

I notice that /etc/openldap/schema/core.schema now (2.2) has commented out:
        attributetype ( 2.5.4.35 NAME 'userPassword'
but if I comment it back in openldap complains of duplicate attributeType.
I think that that is a red herring.

Passwords are set via a php script, the relevant bit is:
        $salt =  pack("C2",(rand(0, 26)+65),(rand(0, 26)+65));
        $md5pw = md5($password . $salt);
        $bin = pack('H*', $md5pw);
        $encpw = base64_encode($bin . $salt);
        $mods['userPassword'] = '{smd5}' . $encpw;      // $mods is the list of 
modifications
This works with openldap 2.0

The passwords that come out of ldapsearch look like:
        userPassword:: e3NtZDV9eUgrTHd1UUJENXl3RTlRaUpQNXZYbFpE
(for password 'password')

If I try and authenticate with that user:
        ldapsearch -LLL -b dc=example,dc=uk -D uid=testuser,dc=example,dc=uk -x 
-w password
it fails on the new system but works on the old one.

If (on the new system) I set the password on my testuser to (using slapadd):
        userPassword:: cGFzc3dvcmQ=
(also for 'password') authentication works properly.
I can't remember how I generated the above string, it is set for the cyrus user.

I don't want 9,000 users to have to have their password reset.

/etc/ldap.conf is the same on both machines.

/etc/slapd.conf contains (on both machines)
        password-hash   {smd5}


syslog messages:
        saslauthd[26685]: Authentication failed for testuser: Bind to ldap 
server failed (invalid user/password or insufficient access) (-7)
        saslauthd[26685]: do_auth         : auth failure: [user=testuser] 
[service=imap] [realm=] [mech=ldap] [reason=Unknown]

I am at a loss .... has anyone got any pointers please.

TIA

-- 
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/

#include <std_disclaimer.h>

pgpo2KV65fZGm.pgp
Description: PGP signature

----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

LDAP problem

Reply via email to