LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 06-09-2012, 06:25 PM   #1
ThatItGuy10499
LQ Newbie
 
Registered: Jun 2012
Location: Vancouver, BC
Distribution: Slackware 13.37 x64
Posts: 3

Rep: Reputation: Disabled
Question Issues with OpenLDAP on 13.37 with NSS_LDAP using SHA512


Hello,

I have a working setup of custom compiled software on Slackware 13.37 where in I have OpenLDAP 2.4.31 and NSS_LDAP 264 performing auth for all of my users and applications. I recently took notice of the 8 character limit on CRYPT passwords quite by accident. Since then I have been working to get SHA512 working. At this point in time I have added the optional module of SHA2 to OpenLDAP and if I create a SHA512 password a user account within the LDAP directory, I can authenticate it properly, using SASL as a method of verification and using the SHA512 as a hash of my rootpw setting in slapd.conf.

Within the same environment I am able to create and authenticate users against a SHA512 password if I use the default shadow encryption under Slackware (mod logins.def to use SHA512, set password, change nsswitch.conf to use compat). Great, so technically the system now is using SHA512 encryption.

What I am at though is Slackware creates a salted key $6$ in the shadow, and OpenLDAP creates a base64 version of the hash. If I implant the shadow version of the hash into OpenLDAP, then SASL won't auth the user.

Now I could because this is really a one user network, just have a shadow salted version of my password in /etc/shadow and have a SHA512 base 64 version in OpenLDAP, but then I'll have to change my password on each system on my LAN and change it over and over in different methods. I like having the ability to perform SSO style networking at home (all apps, systems etc... auth against LDAP so that I change my password once and everything else plays against it).

Hopefully this makes sense and someone will know of a way to get either OpenLDAP to take the $6$ salted version of Slackware's password hash and work with it, or to have Slackware read the base64 version of the password from OpenLDAP and work with it for auth via the NSS_LDAP. Like I said above, everything works as I want as long as I use all the default crypt passwords, so the issue is not configuration of LDAP or NSS_LDAP until I make the switch from CRYPT to SHA512.

I've placed this into the Slack forum because I was sure here I would not get some discussion regarding PAM or configuration via system-config-auth ;-)

Thanks all, if there's any more information you want to know just let me know and I'll try to provide it. I'm not great with encryption tech and my developer skills are nill.
 
Old 06-09-2012, 08:37 PM   #2
ThatItGuy10499
LQ Newbie
 
Registered: Jun 2012
Location: Vancouver, BC
Distribution: Slackware 13.37 x64
Posts: 3

Original Poster
Rep: Reputation: Disabled
Lightbulb Resolved - Here's how

I found this on another forum today after banging my head against the wall several times.

1. Modify /etc/login.defs to use SHA512
2. Modify slapd.conf and include the following two lines:

password-hash {CRYPT}
password-crypt-salt-format "$6$%.86s"

3. Modify any other tools such as SMBLDAP-TOOLS and include the same crypt salt format and the hash hash type. Your hashes in LDAP will always be in the default Slackware SHA512 format, but will pass properly through SASL, NSS_LDAP etc... This places the system in a state where you are using strong encryption and allows for longer than 8 character passwords. SMBLDAP will even write the proper Slack style strings as binary into userPassword.

As originally described, you MUST add the optional SHA2 module.

Refs:

http://www.shermann.name/2010/08/ope...passwords.html
https://confluence.atlassian.com/dis...sha1+passwords
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Issues with OpenLDAP in RHEL6 manyrootsofallevil Linux - Server 2 06-12-2011 10:20 AM
nss_ldap, openldap and openldap-server ... what is openldap for? chakkerz Linux - Server 2 08-13-2009 07:16 PM
mod_auth_mysql sha512 ?? twproductions Linux - Server 1 06-10-2009 05:31 PM
openLDAP issues BStambaugh Linux - Software 2 10-05-2005 09:42 PM
OpenLDAP, nss_ldap, pam_ldap and shadow account info pshinpaugh Linux - General 2 08-16-2004 08:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration