Re: LDIF case sensitivity, login_ldap

Thu, 09 Jun 2022 04:27:18 -0700 

On Thu, 2022-06-09 at 07:48 +0000, Stuart Henderson wrote:
> On 2022-06-09, David Diggles <[email protected]> wrote:
> > I've just got ldap login working on OpenBSD/7.1 with accounts stored 
> > locally in ldapd and using ypldap.
> > 
> > I just thought I'd share something so anyone reading this may save 
> > wasting the time that I wasted :-)
> > 
> > Your LDIF entry that you read into ldap must be as follows for 
> > userPassword
> > 
> > userPassword: {CRYPT}${ENCRYPTED_PASSWD}
> > 
> > ie uppercase CRYPT - I was stuffing around for ages with trying to 
> > understand why login_ldap was failing to bind because I had {crypt} in 
> > lowercase.
> 
> Perhaps it would make sense for ldapd to support {crypt} as well..

No personal preference, but seems easy enough at first glance.
Only compile-tested though...

martijn@

Index: auth.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -r1.14 auth.c
--- auth.c      24 Oct 2019 12:39:26 -0000      1.14
+++ auth.c      9 Jun 2022 11:23:06 -0000
@@ -220,7 +220,7 @@ check_password(struct request *req, cons
        if (stored_passwd == NULL)
                return -1;
 
-       if (strncmp(stored_passwd, "{SHA}", 5) == 0) {
+       if (strncasecmp(stored_passwd, "{SHA}", 5) == 0) {
                sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp));
                if (sz != SHA_DIGEST_LENGTH)
                        return (-1);
@@ -228,7 +228,7 @@ check_password(struct request *req, cons
                SHA1_Update(&ctx, passwd, strlen(passwd));
                SHA1_Final(md, &ctx);
                return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
-       } else if (strncmp(stored_passwd, "{SSHA}", 6) == 0) {
+       } else if (strncasecmp(stored_passwd, "{SSHA}", 6) == 0) {
                sz = b64_pton(stored_passwd + 6, tmp, sizeof(tmp));
                if (sz <= SHA_DIGEST_LENGTH)
                        return (-1);
@@ -238,12 +238,12 @@ check_password(struct request *req, cons
                SHA1_Update(&ctx, salt, sz - SHA_DIGEST_LENGTH);
                SHA1_Final(md, &ctx);
                return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
-       } else if (strncmp(stored_passwd, "{CRYPT}", 7) == 0) {
+       } else if (strncasecmp(stored_passwd, "{CRYPT}", 7) == 0) {
                encpw = crypt(passwd, stored_passwd + 7);
                if (encpw == NULL)
                        return (-1);
                return (strcmp(encpw, stored_passwd + 7) == 0 ? 1 : 0);
-       } else if (strncmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
+       } else if (strncasecmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
                if (send_auth_request(req, stored_passwd + 9, passwd) == -1)
                        return (-1);
                return 2;       /* Operation in progress. */

Reply via email to