RE: saslauthd -a ldap ( possible BO / bug with long userpassword strings ? )


Subject: RE: saslauthd -a ldap ( possible BO / bug with long userpassword strings ? )
From: Igor Brezac (igor at ipass dot net)
Date: Wed Apr 16 2003 - 11:55:27 EDT


On Wed, 16 Apr 2003, Howard Chu wrote:

> > -----Original Message-----
> > From: Igor Brezac [mailto:igor at ipass dot net]
>
> > On Wed, 16 Apr 2003, Howard Chu wrote:
> > > > -----Original Message-----
> > > > From: owner-cyrus-sasl at lists dot andrew dot cmu dot edu
> > > > [mailto:owner-cyrus-sasl at lists dot andrew dot cmu dot edu]On Behalf
> > Of Igor Brezac
> > >
> > > > > dn: uid=test,dc=testdomain,dc=com
> > > > > modify userpassword
> > > > > userpassword: {crypt}$1$cnd5NASV$hOHd2091l3Ui.pxHUA0dm0
> > > >
> > > > This is not crypt hash (unix crypt hash has 13 characters).
> > >
> > > Some newer versions of Unix (and Linux) crypt() use MD5
> > hashes as above
> > > instead of DES. The above string would be valid on such a platform.
> > >
> >
> > Shouldn't those hashes be prefixed with {MD5} or
> > {SMD5}?
>
> No, none of those are compatible encodings. The "{crypt}" specifier means
> "whatever algorithm this hosts's crypt() library uses", it no longer just
> means Unix/DES. And MD5-based crypt() is definitely not the same as {MD5} or
> {SMD5}.
>

Thanks. In this case saslauthd/ldap is doing the right thing.

Both openldap and saslauthd/ldap use crypt() to verify {crypt} passwords.
saslauthd/ldap verifies passwords when 'ldap_auth_method: custom' is
configured; otherwise, it uses openldap to authenticate via
ldap_simple_bind - this is default (ldap_auth_method: bind).

I think the problem may be with the build and I suspect openssl is
interfering here. What does 'ldd saslauthd' say?

Jose, what OS do you use?

-- 
Igor







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD