[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: OpenLDAP on Linux, IRIX client
From:       Greg Matthews <gmatt () nerc ! ac ! uk>
Date:       2005-07-20 12:08:16
Message-ID: 1121861296.18286.12.camel () lea ! nerc-wallingford ! ac ! uk
[Download RAW message or body]

On Tue, 2005-07-19 at 09:10 -0400, Stephen J. Scheck wrote:
> Hello,
> 
> I'm trying to get an SGI/IRIX system (IRIX v6.5.17m) to authenticate 
> against OpenLDAP running on Linux. I've been having a lot of trouble but 
> I think I've nailed down the problem. I've successfully verified that 
> the IRIX box is asking slapd on the Linux box for posixAccount and 
> shadowAccount objects/attributes, but slapd returns a userPassword 
> attribute in this format to the IRIX system:
> 
> {crypt}w3pPyQ6ERHSMf
> 
> I don't think IRIX likes the {crypt} prefix however, and all 
> authentication against the returned crypt hash fails. I've done some 
> googling and noticed that there is a directive
> 
> regsub  USERPASSWORD{{crypt\}}{}
> 
> which goes in the /var/ns/ldap.conf file on IRIX, and presumably strips 
> off the {crypt} prefix. Unfortunately, this directive isn't explained in 
> the man pages on my system and doesn't appear to do anything. I think it 
> is from a newer IRIX version. I don't have a maintainence contract, so 
> upgrading is out of the question.

it should work for this release, try the following:

regsub USERPASSWORD{{crypt\}|{CRYPT\}}{}

which should work for upper and lower case. 

Advice given by Michael is sound - ethereal is incredibly useful for
debugging this sort of stuff (especially as IRIX cannot use encryption
to talk ldap - I've had some success with stunnel tho). Be warned that
IRIX splits up its packets in a strange way so reading the ethereal data
can be a bit tedious.

Once you get your head around how IRIX name service works it actually
hangs together reasonably well.

> 
> Can anybody verify that the {crypt} prefix is indeed my problem, and if 
> there are any other work-arounds I might have missed?

you definitely need to strip this off the beginning of your passwords.
Also, your passwords (obviously) need to CRYPT hashes and not SSHA or
anything else!

I've got this working fine (apart from encryption) for all name service
stuff including autofs so ask again if you still cant get it going.

GREG

> 
> Thanks,
> 
> -sjs
> 
> ---
> You are currently subscribed to ldap@umich.edu as: [gmatt@nerc.ac.uk]
> To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as \
> the SUBJECT of the message.
-- 
Greg Matthews           01491 692445
Head of UNIX/Linux, iTSS Wallingford


---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]