Re: [Fedora-directory-users] MD5 for password hashes
by Del
Hi,
I did some digging on this issue. I suspect I have found a bug
in Fedora Directory Server handling the importing of MD5 passwords,
either that or the current download versions don't support MD5.
The results are as follows:
--
Run this command on OpenLDAP to set a user's password:
ldappasswd -x -D 'uid=root,ou=People,dc=babel,dc=com,dc=au' -W -S
'uid=del,ou=People,dc=babel,dc=com,dc=au'
Do a simple ldapsearch as that user, to verify that the password is correct:
ldapsearch -x -D 'uid=del,ou=People,dc=babel,dc=com,dc=au' -W 'uid=del'
If you have set your OpenLDAP permissions to be relatively transparent,
the above ldapsearch will show a base64 representation of your password
hash. It looks like this:
userPassword:: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
You can un-base64 this hash with the following simple perl script:
#!/usr/bin/perl
#
# Usage: $0 string
#
use MIME::Base64;
my $data = $ARGV[0];
print("Input string is " . $data . "n");
$decoded = decode_base64($data);
print("Decoded string is " . $decoded . "n");
You will see that the password contains the prefix {MD5}, which looks
like this:
Decoded string is {MD5}asdfasdfasdfasdfasdf==
Import your OpenLDAP directory into Fedora Directory Server. I used
LdapImport for this although I also tried it with ldif2db.
What happens during the process of LdapImport is:
* Passwords of type {CRYPT} are transferred across OK to the
FedoraDirectoryServer.
* Passwords of type {MD5} appear in the FedoraDirectoryServer as strings
beginning with {SSHA}. This can be verified by examining the directory
using GQ or a similar LDAP tool, while bound as "cn=Directory Manager".
* Attempts to authenticate with the original password now fail.
* Attempting to authenticate as the full MD5 string (i.e. use the hash
string '{MD5}asdfasdf...==' as extracted from the OpenLDAP server as the
password for Fedora Directory Server) in fact works.
I expect that what has happened is that Fedora Directory Server has
failed to recognise the {MD5} at the beginning of the string as a valid
hash mechanism and re-encoded the entire string as an SSHA hash.
I see that on the FDS wiki there is mention of MD5 hashing support
being added on June 15th. I have fedora-ds-7.1-2.RHEL4 installed from
the RPM I downloaded from the FDS web site. How do I verify that this
version should have the MD5 support, or do I need a more recent version?
--
Del
18 years
[Fedora-directory-users] Sync AD
by Pedro Rodrigues
Hi
Does anyone have a document like an howto that can explain how we can
syncronize FDS with AD ? Anyone that have already do this .
Thanks.
--
Cumprimentos Cordiais,
Pedro Rodrigues
Tecnologias de Informação
Centimfe - Centro Tecnológico da Indústria dos Moldes, Ferramentas Especiais e Plásticos
Zona Industrial
Rua da Espanha, Lote 8
Apartado 313
2431-904 Marinha Grande
tel.: (+351) 244 545 600
email.: pedro.rodrigues(a)centimfe.com
Web.: http://www.centimfe.com
18 years, 1 month
[Fedora-directory-users] Schema Conversion
by D Canfield
I don't suppose anyone has found an easy way to convert OpenLDAP schema
into fedora-ds compatible ldif files? We've got about 100 attributes
defined, and I'm really not looking forward to entering them all by hand...
Thanks
DC
18 years, 1 month
[Fedora-directory-users] Password Sync Search Scope
by Brian Peters
Hi,
I have a user directory structure in AD that mimics a typical org chart
such that my ou=People directory contains additional ou's as subtrees
that represent different departments. I have a windows sync agreement
in FDS set up, and after manually adding the various ou's on the FDS
side, all the users sync over properly in all the subtrees.
My problem is with the password sync service for windows. Upon changing
a user's password that has already been replicated to FDS from AD, I see
in the access logs a search along these lines:
SRCH base="ou=People,dc=my,dc=domain" scope=1
filter="(ntUserDomainId=myUser)" attrs=ALL
with the result indicating no entries found:
RESULT err=0 tag=101 nentries=0 etime=0
The myUser account is at ou=MyDept,ou=People,dc=my,dc=domain, but the
password sync service issues a search request to only search the
ou=People directory non-recursively (i.e. scope=1). I don't see any
options in either the PassSync.msi setup or in the registry keys to
force the service to do a scope=2 recursive search. I tried to use the
syntax "ou=People,dc=my,dc=domain?sub", but it doesn't seem to recognize
that either. Is there any workaround for this besides to synchronize
all of my users to a single directory on FDS?
Thanks,
Brian
18 years, 2 months
[Fedora-directory-users] FC3 - Back to cyrus-sasl
by Jason Kullo Sam
Ok...guess I have to get this build going after all. Getting halfway
through the make, then failing with the following error. Doh!
Attacked the cyrus install again. Did a make clean, then changed my mind
and deleted entire folder and started all over with it. For some reason,
the sasl make seemed to go this time(maybe I just needed to blow the
folder out last time)...but, the make on ldapserver still failed. See
below for log(snipped out bits of spam...) On the bright side...I'm
actually learning lots! =D
====================================================================
[root@genie ds]# gunzip -c cyrus-sasl-2.1.20.tar.gz | tar xf -
tar: Read 2048 bytes from -
[root@genie ds]# cd cyrus-sasl-2.1.20
[root@genie cyrus-sasl-2.1.20]# CFLAGS="-O2" ./configure
--enable-gssapi=/usr/kerberos/include/--enable-static --without-des
--without-openssl
configure: creating cache ./config.cache
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
-------------------- SNIP Successful Config
updating cache .././config.cache
configure: creating ./config.status
config.status: creating Makefile
config.status: creating saslauthd.h
config.status: executing depfiles commands
Configuration Complete. Type 'make' to build.
[root@genie cyrus-sasl-2.1.20]#
##########################
Onto the make...
##########################
Configuration Complete. Type 'make' to build.
[root@genie cyrus-sasl-2.1.20]# gmake
gmake all-recursive
gmake[1]: Entering directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20'
Making all in include
gmake[2]: Entering directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20/include'
if gcc -DHAVE_CONFIG_H -I. -I. -I.. -Wall -W -O2 -MT makemd5.o -MD
-MP -MF ".deps/makemd5.Tpo" \
-c -o makemd5.o `test -f 'makemd5.c' || echo './'`makemd5.c; \
then mv ".deps/makemd5.Tpo" ".deps/makemd5.Po"; \
else rm -f ".deps/makemd5.Tpo"; exit 1; \
fi
/bin/sh ../libtool --mode=link gcc -Wall -W -O2 -o makemd5
makemd5.o -lresolv
mkdir .libs
------------------- SNIP Make spam ----------------------------
if gcc -DHAVE_CONFIG_H
-DSASLAUTHD_CONF_FILE_DEFAULT=\"/usr/local/etc/saslauthd.conf\" -I. -I.
-I.. -I. -I. -I. -I./include -I./include -I./../include -O2 -MT
saslauthd-main.o -MD -MP -MF ".deps/saslauthd-main.Tpo" \
-c -o saslauthd-main.o `test -f 'saslauthd-main.c' || echo
'./'`saslauthd-main.c; \
then mv ".deps/saslauthd-main.Tpo" ".deps/saslauthd-main.Po"; \
else rm -f ".deps/saslauthd-main.Tpo"; exit 1; \
fi
if gcc -DHAVE_CONFIG_H
-DSASLAUTHD_CONF_FILE_DEFAULT=\"/usr/local/etc/saslauthd.conf\" -I. -I.
-I.. -I. -I. -I. -I./include -I./include -I./../include -O2 -MT md5.o
-MD -MP -MF ".deps/md5.Tpo" \
-c -o md5.o `test -f 'md5.c' || echo './'`md5.c; \
then mv ".deps/md5.Tpo" ".deps/md5.Po"; \
else rm -f ".deps/md5.Tpo"; exit 1; \
fi
gcc -O2 -o saslauthd mechanisms.o auth_dce.o auth_getpwent.o
auth_krb5.o auth_krb4.o auth_pam.o auth_rimap.o auth_shadow.o auth_sia.o
auth_sasldb.o lak.o auth_ldap.o cache.o utils.o ipc_unix.o ipc_doors.o
saslauthd-main.o md5.o -lcrypt -lresolv -lresolv
gmake[3]: Leaving directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20/saslauthd'
gmake[2]: Leaving directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20/saslauthd'
gmake[2]: Entering directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20'
gmake[2]: Leaving directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20'
gmake[1]: Leaving directory
`/root/Desktop/dsbuild-static/ds/cyrus-sasl-2.1.20'
[root@genie cyrus-sasl-2.1.20]#
#######################################
Seems to have compiled right that time for some reason...weird...
#######################################
[root@genie cyrus-sasl-2.1.20]# cd ..
[root@genie ds]# ls
09.23 icu-2.4.tgz
09.27 ldapserver
cyrus-sasl-2.1.20 mozilla
cyrus-sasl-2.1.20.tar.gz mozilla-components.tar.gz
db-4.2.52.NC net-snmp-5.2.1
db-4.2.52.NC.tar.gz net-snmp-5.2.1.tar.gz
fedora-adminutil-devel-7.1 patch.4.2.52.1
fedora-adminutil-devel-7.1.tar.gz patch.4.2.52.2
fedora-setuputil-devel-7.1 patch.4.2.52.3
fedora-setuputil-devel-7.1.tar.gz patch.4.2.52.4
icu
[root@genie ds]# cd ldapserver/
[root@genie ldapserver]# gmake USE_PERL_FROM_PATH=1 BUILD_DEBUG=optimize
if test ! -d Linux; then mkdir Linux; fi;
/usr/bin/perl buildnum.pl -p Linux
NSOS_RELEASE is: 2.6
/usr/bin/perl pumpkin.pl 120 pumpkin.dat
The components are up to date
==== Starting LDAP Server ==========
gmake BUILD_OPT=1 NO_JAVA=1 nsCommon
gmake[1]: Entering directory `/root/Desktop/dsbuild-static/ds/ldapserver'
-------------------------- SNIP Make Spam
.o
../../../built/Linux-domestic-optimize-normal-slapd/servers/obj/main.o
-L../../../built/release/slapd/Linux-domestic-optimize-normal-slapd/bin/slapd/server
-lslapd -lldapu
-L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -lssl3
-lnss3 -lsoftokn3 -L../../../../mozilla/dist/lib -lssldap50 -lldap50
-lprldap50 -L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib
-lplc4 -lplds4 -lnspr4
-L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -ldbm
-lavl -lldif -llitekey -ldl
-L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -lsvrcore
-L../../../../cyrus-sasl-2.1.20/lib -lsasl2 -L/usr/kerberos/lib
-lgssapi_krb5 -lcrypt -lpthread -L../../../../db-4.2.52.NC/built/.libs
-ldb-4.2
/usr/bin/ld: cannot find -lsasl2
collect2: ld returned 1 exit status
gmake[3]: ***
[../../../built/release/slapd/Linux-domestic-optimize-normal-slapd/bin/slapd/server/ns-slapd]
Error 1
gmake[3]: Leaving directory
`/root/Desktop/dsbuild-static/ds/ldapserver/ldap/servers/slapd'
gmake[2]: *** [_slapd] Error 2
gmake[2]: Leaving directory
`/root/Desktop/dsbuild-static/ds/ldapserver/ldap/servers'
gmake[1]: *** [ldapprogs] Error 2
gmake[1]: Leaving directory
`/root/Desktop/dsbuild-static/ds/ldapserver/ldap'
gmake: *** [buildDirectory] Error 2
[root@genie ldapserver]# ls ../cyrus-sasl-2.1.20/lib
auxprop.c client.lo dlopen.o Makefile.in saslutil.o
auxprop.lo client.o external.c md5.c server.c
auxprop.o common.c external.lo md5.lo server.lo
canonusr.c common.lo external.o md5.o server.o
canonusr.lo common.o getaddrinfo.c NTMakefile seterror.c
canonusr.o config.c getnameinfo.c plugin_common.lo seterror.lo
checkpw.c config.lo getsubopt.c plugin_common.o seterror.o
checkpw.lo config.o libsasl2.la saslint.h snprintf.c
checkpw.o dlopen.c Makefile saslutil.c staticopen.h
client.c dlopen.lo Makefile.am saslutil.lo windlopen.c
[root@genie ldapserver]#
18 years, 2 months
[Fedora-directory-users] FC3 - DS Source Build Prb
by Jason Kullo Sam
Ok, got through all that, now onto building the DS source(again...but
RIGHT this time).
I get the feeling
################
I input this
################
cd ldapserver/ ; gmake USE_PERL_FROM_PATH=1
BUILD_DEBUG=optimize
################
the make dies this...
################
-L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -lplc4
-lplds4 -lnspr4
-L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -ldbm
-lavl -lldif -llitekey -ldl
-L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -lsvrcore
-L../../../../cyrus-sasl-2.1.20/lib -lsasl2 -L/usr/kerberos/lib
-lgssapi_krb5 -lcrypt -lpthread -L../../../../db-4.2.52.NC/built/.libs
-ldb-4.2
/usr/bin/ld: cannot find -lgssapi_krb5
collect2: ld returned 1 exit status
gmake[3]: ***
[../../../built/release/slapd/Linux-domestic-optimize-normal-slapd/bin/slapd/server/ns-slapd]
Error 1
gmake[3]: Leaving directory
`/root/Desktop/dsbuild-static/ds/ldapserver/ldap/servers/slapd'
gmake[2]: *** [_slapd] Error 2
gmake[2]: Leaving directory
`/root/Desktop/dsbuild-static/ds/ldapserver/ldap/servers'
gmake[1]: *** [ldapprogs] Error 2
gmake[1]: Leaving directory
`/root/Desktop/dsbuild-static/ds/ldapserver/ldap'
gmake: *** [buildDirectory] Error 2
[root@genie ldapserver]#
######################
Searched for lgssapi_krb5...is this wrong?
######################
[root@genie ~]# updatedb
[root@genie ~]# locate libgssapi_krb5.a
[root@genie ~]# locate libgssapi_krb5
/usr/lib/libgssapi_krb5.so.2
/usr/lib/libgssapi_krb5.so.2.2
=================================================================
Any ideas?
18 years, 2 months
[Fedora-directory-users] mirroring fds
by Adam Moser
I'm not sure if this is the right mailing list to ask
this too; if it is not I apoligize for the
inconvience.
I am running fds on my main computer (FC3) and I would
like to mirror in on another machine. The main
computer fds is providing the ldap authentication, so
when it goes down I have problems all over. I have
been working on the new machine for a while with no
luck in getting it to sync with the main machine to
get the fds information.
Has anyone done anything like this? Any help or clues
would be greatly appreciated.
Thanks
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
18 years, 2 months
[Fedora-directory-users] LDAP Migration Tools
by Del
Hi,
I am part way through writing this set of LDAP migration scripts.
Not finished yet but might be useful to someone in their current
state:
http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport
To quote:
LdapImport.pl imports data into a destination LDAP server, from one of
two sources. The data can come from either:
* Another (source) LDAP server, or
* /etc/passwd, /etc/shadow and /etc/group files.
Some attempt at schema checking and/or mapping is done. Also, the
program will over-write existing entries in the destination LDAP server
if required.
This was originally designed as a tool to assist migration from OpenLDAP
to Fedora Directory Server but plans are to develop it into a general
purpose LDAP migration tool.
The tool is currently text based but there will be a GUI version
developed soon, possibly using Glade.
Some parts of these scripts are based on the well known tools by Luke
Howard.
Comments and bug reports to dev(a)babel.com.au
--
Del
18 years, 2 months
[Fedora-directory-users] Management of source build?
by Dominic Ijichi
Hi
I've built FDS 7.1 from the source on two machines. I'd like to populate with
data and get the two synched together as a simple cluster using multi-master
replication.
Is this currently possible with the open-source version? Can the management
console be used yet without the admin server? Current documentation relies on
the java console, is there any documentation that shows how to do replication
and other management functions without the gui?
cheers
dom
18 years, 2 months
[Fedora-directory-users] How to migrate a server instance of NS directory 4.1 to FC ns directory 7.1?
by Jet Young
Hi all:
I used to have a server instance created by NS directory 4.1.And there were
many datas in the DB and personal schemas.The DB and the personal schemas
were backuped by copying the original db files. That is I have two original
server's configure files named "sldap_user_at.conf" and
"sladp_user_oc.conf", and I have some db files named "*.db2".
Now I want to create a new server in Fedora Directory 7.1 with these data.
But I found some problems.
1.In NS directory 4.1, I only need to copy those files to the relative
directory and everything will be ok. But now, I can't find any files named
"sldap_user_at.conf" or "sladp_user_oc.conf".
2.The DB used in Fedora Directory 7.1 is version 4, but the db files I
backuped is version 2. I don't know if they are compatible.
Anyone knows the answer,please feel free to contact with me. Many thanks to
all of you.
Have a good day!
18 years, 2 months
