LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Issues with OpenLDAP on 13.37 with NSS_LDAP using SHA512 (https://www.linuxquestions.org/questions/slackware-14/issues-with-openldap-on-13-37-with-nss_ldap-using-sha512-949435/)

ThatItGuy10499 06-09-2012 06:25 PM
Issues with OpenLDAP on 13.37 with NSS_LDAP using SHA512
 
Hello,

I have a working setup of custom compiled software on Slackware 13.37 where in I have OpenLDAP 2.4.31 and NSS_LDAP 264 performing auth for all of my users and applications. I recently took notice of the 8 character limit on CRYPT passwords quite by accident. Since then I have been working to get SHA512 working. At this point in time I have added the optional module of SHA2 to OpenLDAP and if I create a SHA512 password a user account within the LDAP directory, I can authenticate it properly, using SASL as a method of verification and using the SHA512 as a hash of my rootpw setting in slapd.conf.

Within the same environment I am able to create and authenticate users against a SHA512 password if I use the default shadow encryption under Slackware (mod logins.def to use SHA512, set password, change nsswitch.conf to use compat). Great, so technically the system now is using SHA512 encryption.

What I am at though is Slackware creates a salted key $6$ in the shadow, and OpenLDAP creates a base64 version of the hash. If I implant the shadow version of the hash into OpenLDAP, then SASL won't auth the user.

Now I could because this is really a one user network, just have a shadow salted version of my password in /etc/shadow and have a SHA512 base 64 version in OpenLDAP, but then I'll have to change my password on each system on my LAN and change it over and over in different methods. I like having the ability to perform SSO style networking at home (all apps, systems etc... auth against LDAP so that I change my password once and everything else plays against it).

Hopefully this makes sense and someone will know of a way to get either OpenLDAP to take the $6$ salted version of Slackware's password hash and work with it, or to have Slackware read the base64 version of the password from OpenLDAP and work with it for auth via the NSS_LDAP. Like I said above, everything works as I want as long as I use all the default crypt passwords, so the issue is not configuration of LDAP or NSS_LDAP until I make the switch from CRYPT to SHA512.

I've placed this into the Slack forum because I was sure here I would not get some discussion regarding PAM or configuration via system-config-auth ;-)

Thanks all, if there's any more information you want to know just let me know and I'll try to provide it. I'm not great with encryption tech and my developer skills are nill.

ThatItGuy10499 06-09-2012 08:37 PM
Resolved - Here's how
 
I found this on another forum today after banging my head against the wall several times.

1. Modify /etc/login.defs to use SHA512
2. Modify slapd.conf and include the following two lines:

password-hash {CRYPT}
password-crypt-salt-format "$6$%.86s"

3. Modify any other tools such as SMBLDAP-TOOLS and include the same crypt salt format and the hash hash type. Your hashes in LDAP will always be in the default Slackware SHA512 format, but will pass properly through SASL, NSS_LDAP etc... This places the system in a state where you are using strong encryption and allows for longer than 8 character passwords. SMBLDAP will even write the proper Slack style strings as binary into userPassword.

As originally described, you MUST add the optional SHA2 module.

Refs:

http://www.shermann.name/2010/08/ope...passwords.html
https://confluence.atlassian.com/dis...sha1+passwords


All times are GMT -5. The time now is 08:11 AM.