I know that other methods are better and Kerberos is my preferred option.
Unfortunately I still need to support applications for which I don't have
the source and I can't get the vendor to change it. I addition I am bound to
Microsoft's AD use of unixuserpassword which is synchronized with the
Kerberos password.
I appreciate that you check for ldap RFC compliance (which is not really the
case as it is now) but I still would prefer the ability to overwrite the
behavior and let the application decide if it is OK or not. Also as there
are many possible encryption algorithm why does the code require {crypt} ?
Markus
BTW it works fine on other platforms (e.g. Linux)
----- Original Message -----
From: "Darren J Moffat" <[EMAIL PROTECTED]>
To: "Markus Moeller" <[EMAIL PROTECTED]>
Cc: <[email protected]>
Sent: Tuesday, January 08, 2008 9:08 PM
Subject: Re: [osol-code] Question about getspnam and LDAP
> Markus Moeller wrote:
>> Looking at the source of getspent I see that the password needs to start
>> with {crypt}. Why is that ? Could a flag be added to assume {crypt} and
>> add if missing ?
>
> If the {crypt} prefix isn't present then it isn't likely to be verifiable
> with crypt(3C) which is what that prefix means.
>
> It is likely some other form of password hash which means that pam_ldap
> rather than pam_unix_auth (ultimately getspnam/crypt/strcmp).
>
> --
> Darren J Moffat
>
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
