C2 LDAP authentication against Openldap

From: Chang Kai Cheong (kcchang@hkusua.hku.hk)
Date: Thu Mar 06 2003 - 03:51:59 EST

• Next message: Ebele Mba \[ MTN - UBA \]: "Gigabit card on ES40"
• Previous message: Christian Wessely: "SUMMARY UDATE: [offtopic] Alpha Server 1000 RAM question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear managers,

A while back, I posted a problem on the LDAP authentication
inter-operability of Tru64 5.1A BL3 with C2 enabled. Perhaps I did not
describe the problem very well, I never get any feedback yet :)

I tried to set up LDAP authentication on a Tru64 5.1A BL3 (C2 enabled)
against an Openldap directory (2.0.27 on another Unix machine). Following
through the documentations on Internet Express and Best Practices, I
finally made it working after issuing the following command:

/usr/internet/ldap_tools/ldap_passwd <user_name> <passwd>

When I checked against the LDAP server, the userPassword was inserted in
the following format:

userPassword: <encrypted_string>

According to the Openldap documentation, the userPassword attribute
should be stored as:

userPassword: {<CRYPT_METHOD>}<encrypted_string>

In my case, the <CRYPT_METHOD> is CRYPT. Therefore, the format of
userPassword should be "{CRYPT}<encrypted_string>". However, this would
break other LDAP-aware applications on checking on the validity of the
userPassword attribute.

In addition, I used the command:

/usr/internet/ldap_tools/ldap_get_user <user_name>

can get the correct passwords from LDAP server regardless of the format of
userPassword, i.e.,:

testuser:5gXDZeVTp99Z.:1000000:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr1:5gXDZeVTp99Z.:1000001:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr2:5gXDZeVTp99Z.:1000002:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr3:5gXDZeVTp99Z.:1000003:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr4:5gXDZeVTp99Z.:1000004:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr5:5gXDZeVTp99Z.:1000005:110:Chang Kai Cheong:/tmp:/bin/ksh

However, edauth -g <user_name> will get an asterisk for userPassword in
"{CRYPT}<encrypted_string>" format:

# edauth -g testusr5
testusr5:u_name=testusr5:u_id#1000005:u_pwd=5gXDZeVTp99Z.:u_oldcrypt#3:\
:u_suclog#1043319991:u_suctty=INET#xxxx.hku.hk:u_unsuctty=INET#xxxx.hku.hk:u_unsuclog#1043319728:\
        :u_lock@:chkent:
# edauth -g testusr6
testusr6:u_name=testusr6:u_id#1000006:u_pwd=*:u_oldcrypt#3:\
:u_unsuctty=INET#hkuoad2.hku.hk:u_unsuclog#1043320549:u_numunsuclog#1:u_lock@:\
        :u_flogins#1:chkent:

I wonder if it is a bug of C2 security enabled or I missed anything. Any
input is appreciated.

Thanks in advance.
KC Chang
Computer Centre
The University of Hong Kong

• Next message: Ebele Mba \[ MTN - UBA \]: "Gigabit card on ES40"
• Previous message: Christian Wessely: "SUMMARY UDATE: [offtopic] Alpha Server 1000 RAM question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:10 EDT