From: Navarro, Eddy (enavarro@tigr.org)
Date: Wed Apr 13 2005 - 12:14:17 EDT
Hello all,
Here is my dilemma- We have SunONE Directory Server 5.2 patch 2.
Previously, user passwords were encrypted using simple crypt, but we
wanted to harden the mechanism and tested using MD5. We are encrypting
on the client side, using pam_unix. We set CRYPT_DEFAULT=1 in
/etc/security/policy.conf on the client. When a user logs in initially
and changes their current crypt password, everything works fine and the
password is stored on the LDAP server with MD5 encrytion (the password
string starts with '{crypt}$1'). However, upon subsequent user login,
when the user attempts to change his/her MD5 password using 'passwd' or
'passwd -r ldap', after being prompted for current and new password they
get a 'permission denied' error.
Sample output:
> passwd -r ldap
passwd: Changing password for testacct
Enter existing login password:
New Password:
Re-enter new Password:
Permission denied
I've been on the horn with Sun for days on this, and they have been NO
help. They claim that client-side MD5 encryption is not supported,
which I don't buy for a second.
I've trussed the process and examined the access logs on the server. I
see the BIND requests coming across the line as the ldapproxy, and
completing successfully, but the user is still unable to change their
password.
Can anyone assist?
Thanks,
Eddy
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:32 EDT