Bug 42271
| Summary: | passwd will not md5-encrypt over LDAP | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | David Wright <ichbin> |
| Component: | nss_ldap | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED CANTFIX | QA Contact: | Aaron Brown <abrown> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.1 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-10-18 16:39:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. Note that any bug still open against Red Hat Linux on will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help. Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Closing as CANTFIX. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.17-14 i686; en-US; rv:0.9) Gecko/20010507 Description of problem: Problem: get passwords stored in md5 in an OpenLDAP database. Yucky but working solution: in /etc/openldap/slapd.conf, In /etc/ldap.conf, include the line password-hash {md5} and use ldappasswd to change passwords. The gq ldap browser then shows entries like {MD5}3825rzsjflz/dsflaf and all is huky-dorey, but no user wants to have to use ldappasswd to do password updates. Nice but failed solution: In /etc/ldap.conf, include the line pam_password md5 which, according to /usr/share/doc/nss_ldap-149/README.pam, should work. But changing passwords using passwd then results in ldap entries like {cryp}sldfjaslduf ie crypt, not md5. Even worse, although login and sshd can authenticate off such an entry, passwd itself cannot, so the user has screwed himself as far as using passwd ever again. How reproducible: Always Steps to Reproduce: 1. Include the line pam_password md5 in /etc/ldap.conf 2. Use passwd to change password Actual Results: New password is stored in {crypt} in LDAP database. Cannot use passwd to change password again. Expected Results: New password in stored in {md5} in LDAP database. Additional info: Adding an "md5" to the line password sufficient /lib/security/pam_ldap.so in /etc/pam.d/system-auth doesn't help. Likewise, using pam_password exop in /etc/ldap.conf instead, which one might hope would make the system use whatever slapd uses "natively", also doesn't work. In fact, passwd fails to update at all in this configuration.