Bug 42271 - passwd will not md5-encrypt over LDAP
Summary: passwd will not md5-encrypt over LDAP
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-05-25 14:04 UTC by David Wright
Modified: 2007-04-18 16:33 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-10-18 16:39:51 UTC
Embargoed:


Attachments (Terms of Use)

Description David Wright 2001-05-25 14:04:51 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.17-14 i686; en-US; rv:0.9)
Gecko/20010507

Description of problem:
Problem: get passwords stored in md5 in an OpenLDAP database.

Yucky but working solution: in /etc/openldap/slapd.conf,  In
/etc/ldap.conf, include the line
  password-hash	{md5}
and use ldappasswd to change passwords. The gq ldap browser then
shows entries like
  {MD5}3825rzsjflz/dsflaf
and all is huky-dorey, but no user wants to have to use ldappasswd
to do password updates.

Nice but failed solution: In /etc/ldap.conf, include the line
  pam_password md5
which, according to /usr/share/doc/nss_ldap-149/README.pam,
should work. But changing passwords using passwd then
results in ldap entries like
  {cryp}sldfjaslduf
ie crypt, not md5. Even worse, although login and sshd can
authenticate off such an entry, passwd itself cannot, so
the user has screwed himself as far as using passwd ever again.



How reproducible:
Always

Steps to Reproduce:
1. Include the line
  pam_password md5
in /etc/ldap.conf
2. Use passwd to change password
	

Actual Results:  New password is stored in {crypt} in LDAP database.
Cannot use passwd to change password again.

Expected Results:  New password in stored in {md5} in LDAP database.

Additional info:

Adding an "md5" to the line
  password sufficient /lib/security/pam_ldap.so
in /etc/pam.d/system-auth doesn't help. Likewise, using
  pam_password exop
in /etc/ldap.conf instead, which one might hope would make
the system use whatever slapd uses "natively", also doesn't
work. In fact, passwd fails to update at all in this configuration.

Comment 1 Bill Nottingham 2006-08-07 19:16:20 UTC
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.

Comment 2 Bill Nottingham 2006-10-18 16:39:51 UTC
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.


Note You need to log in before you can comment on or make changes to this bug.