Markus Moeller wrote:
> Sorry I don't understand why the other algorithms are dealt with on the
> ldap server
That is how LDAP is defined to work.
> (I probably misunderstand how it should work.) ? I thought
> getspnam/getpwnam will request the password hash from either a file, NIS
> server or LDAP server and then the application compares the hash (or
> what ever encryption used) with its own calculated hash from the users
> password.
Correct if you are running the LDAP server in a mode where it is
basically in NIS compatibilty. The other way to do authentication (in
fact the much more secure and "proper" way to do it) is via the
ldap_bind() library call, this will use SASL (and maybe even GSS-API and
thus Kerberos).
> If it is a newer application it will know how to deal with the
> different prefixes and if it is an old application it will use the
> default crypt as described for the shadow file.
No the application on the client side shouldn't be doing anything like that.
In fact applications should in general not be authenticating this way
but should instead be using the appropriate higher level interface which
depending on wither they are initial or network authentication is either
PAM (initial) or SASL/GSS-API for network.
> OK. Here is a user in AD called mm accessed from Opensuse 10.3 (using
> nss_ldap from PADL with openldap). I can successfully do a kinit to that
> account (as I mentioned my preferred method).
I should have been clearer on what I wanted I wanted a dump of the entry
as it is seen by ldap, say using ldapsearch(1) not via getpwent().
Sorry about that.
What I'm looking for is to see exactly how it is stored in ldap.
According to RFC2307 it should be store in an attribute called
"userPassword" and it must include the scheme:
LDAPv2 style: userPassword: {crypt}X5/DBrWPOQQaI
LDAPv3 style: userPassword;hash-crypt: X5/DBrWPOQQaI
--
Darren J Moffat
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
