C2 LDAP authentication against Openldap from Chang Kai Cheong on 2003-03-06 (tru64-unix-managers)

From: Chang Kai Cheong <kcchang_at_hkusua.hku.hk>
Date: Thu, 06 Mar 2003 16:51:59 +0800 (HKT)

Dear managers,

A while back, I posted a problem on the LDAP authentication
inter-operability of Tru64 5.1A BL3 with C2 enabled. Perhaps I did not
describe the problem very well, I never get any feedback yet :)

I tried to set up LDAP authentication on a Tru64 5.1A BL3 (C2 enabled)
against an Openldap directory (2.0.27 on another Unix machine). Following
through the documentations on Internet Express and Best Practices, I
finally made it working after issuing the following command:

/usr/internet/ldap_tools/ldap_passwd <user_name> <passwd>

When I checked against the LDAP server, the userPassword was inserted in
the following format:

userPassword: <encrypted_string>

According to the Openldap documentation, the userPassword attribute
should be stored as:

userPassword: {<CRYPT_METHOD>}<encrypted_string>

In my case, the <CRYPT_METHOD> is CRYPT. Therefore, the format of
userPassword should be "{CRYPT}<encrypted_string>". However, this would
break other LDAP-aware applications on checking on the validity of the
userPassword attribute.

In addition, I used the command:

/usr/internet/ldap_tools/ldap_get_user <user_name>

can get the correct passwords from LDAP server regardless of the format of
userPassword, i.e.,:

testuser:5gXDZeVTp99Z.:1000000:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr1:5gXDZeVTp99Z.:1000001:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr2:5gXDZeVTp99Z.:1000002:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr3:5gXDZeVTp99Z.:1000003:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr4:5gXDZeVTp99Z.:1000004:110:Chang Kai Cheong:/tmp:/bin/ksh
testusr5:5gXDZeVTp99Z.:1000005:110:Chang Kai Cheong:/tmp:/bin/ksh

However, edauth -g <user_name> will get an asterisk for userPassword in
"{CRYPT}<encrypted_string>" format:

# edauth -g testusr5
testusr5:u_name=testusr5:u_id#1000005:u_pwd=5gXDZeVTp99Z.:u_oldcrypt#3:\
:u_suclog#1043319991:u_suctty=INET#xxxx.hku.hk:u_unsuctty=INET#xxxx.hku.hk:u_unsuclog#1043319728:\
:u_lock_at_:chkent:
# edauth -g testusr6
testusr6:u_name=testusr6:u_id#1000006:u_pwd=*:u_oldcrypt#3:\
:u_unsuctty=INET#hkuoad2.hku.hk:u_unsuclog#1043320549:u_numunsuclog#1:u_lock_at_:\
:u_flogins#1:chkent:

I wonder if it is a bug of C2 security enabled or I missed anything. Any
input is appreciated.

Thanks in advance.
KC Chang
Computer Centre
The University of Hong Kong
Received on Thu Mar 06 2003 - 09:20:29 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:44 NZDT