On Tue, Jan 08, 2008 at 11:18:06AM -0800, Markus Moeller wrote:
> Looking at the source of getspent I see that the password needs to
> start with {crypt}. Why is that ? Could a flag be added to assume
> {crypt} and add if missing ?
Native LDAP allows a broad set of password encryption algorithms, only
one of which is compatible with the traditional Unix crypt(3c).
Because the password is used by the server to authenticate LDAP client
connections, it needs to know what format the hashed password is
stored in. Using {crypt} passwords allows for compatibility with
getspnam and company, but still requires that tag to be present (as do
the LDAP RFCs).
Generally, you should not use getspnam(3c) and crypt(3c) to perform
authentication. Instead, use pam_authenticate(3pam), which will work
correctly with both native and Unix-compatible LDAP. That said, if
your userPassword attributes lack any kind of hash specifier, it's
unclear how well they'll work regardless.
--
Keith M Wesolowski "Sir, we're surrounded!"
FishWorks "Excellent; we can attack in any direction!"
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
