RSS feed

Re: Password problem

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Password problem

On Sat, 2013-10-26 at 09:36 +0200, Olivier Hoarau wrote:
> lena:$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN:14855::99999::::0

This looks like a valid shadow hash for /etc/shadow but the used hash
could be a problem for a value of userPassword that slapd would be able
to use for authentication. That would explain why nslcd can't
authenticate to slapd.

Assuming the LDAP server contains
perhaps the cyrpt() implementation on the LDAP server doesn't support
the Blowfish (2a) hash or slapd doesn't recognise the hash format.

On my system I can generate MD5 hashes with:
  slappasswd -s test -c '$1$%.8s'
but not Blowfish hashes:
  slappasswd -s test -c '$2a$08'

> with these modification in nslcd.conf
> I got also
> getent shadow lena
> lena:$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN:14855::99999::::0
> but same error with su

Another possibility is that pam_tcb has changed in some way to no longer
use the NSS layer to request shadow information but reads /etc/shadow

> you can find the log file of the slapd server here 

Sadly, this does not provide more useful information, it only logs:

conn=1008 op=0 BIND dn="uid=lena,ou=People,dc=kervao,dc=fr" method=128
do_bind: version=3 dn="uid=lena,ou=People,dc=kervao,dc=fr" method=128
send_ldap_result: conn=1008 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=49

(error code 49 is invalid credentials)

> my slapd.conf

The configuration seems reasonable.

-- arthur - - --
To unsubscribe send an email to or see