Re: [nssldap] Question about getspnam/getpwnam and ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Buchan Milne <bgmilne [at] mandriva.org>
To: "Markus Moeller" <huaraz [at] moeller.plus.com>
Cc: nssldap [at] padl.com, ldap-nis [at] padl.com
Subject: Re: [nssldap] Question about getspnam/getpwnam and ldap
Date: Fri, 11 Jan 2008 13:09:36 +0200

On Wednesday 09 January 2008 21:13:59 Markus Moeller wrote:

> The unixuserpassword attribute in AD does not use an encryption scheme
> identifier (but stores the crypt password). It has the same value as a
> "normal" /etc/shadow entry would have in the password field (e.g.
> 1c8n1k6cGDbSo).
>
> A getent shadow markus   (with markus being an ldap user in AD) gives on
> Linux:
> markus:1c8n1k6cGDbSo:13565::::::

[...]

> A getent shadow does not work on OpenSolaris. But the below test program
> (using OpenSolaris native nss_ldap libraries) gives:
> ./test_shadow markus
> passwd: name=markus
> passwd: passwd=x
> passwd: uid=500
> passwd: gid=10000
> passwd: gecos=Markus Moeller
> passwd: homedir=/export/home/markus
> passwd: shell=/bin/ksh
>
>
> shadow: name=markus
> shadow: passwd=*NP*
> shadow: lastchg=-1(Wed Dec 31 01:00:00 1969)
> shadow: min=-1
> shadow: max=-1
> shadow: warn=-1
> shadow: inactive=-1
> shadow: expire=-1(Wed Dec 31 01:00:00 1969)

Your initial description (and the fact that you've sent the question to this 
list) seemed to imply the nss_ldap behaviour was wrong.

>
> If I modify the unixuserpassword value in AD from 1c8n1k6cGDbSo to
> {crypt}1c8n1k6cGDbSo OpenSolaris gives:
> ./test_shadow markus
> passwd: name=markus
> passwd: passwd=x
> passwd: uid=500
> passwd: gid=10000
> passwd: gecos=Markus Moeller
> passwd: homedir=/export/home/markus
> passwd: shell=/bin/ksh
>
>
> shadow: name=markus
> shadow: passwd=1c8n1k6cGDbSo
> shadow: lastchg=-1(Wed Dec 31 01:00:00 1969)
> shadow: min=-1
> shadow: max=-1
> shadow: warn=-1
> shadow: inactive=-1
> shadow: expire=-1(Wed Dec 31 01:00:00 1969)
>
> and the checkpass succeeds too.

[...]

> My problem is now that AD does not have the {crypt} prefix and Solaris
> requires it and I wanted to understand if the RFC is the reason for
> requiring the {crypt} prefix. From how I read it is optional.
>
> At the end it may mean I have to use AD as a NIS server and not as an ldap
> server.

Alternatively, you may also consider using nss_ldap on Solaris.

> In my case the proxy user has access to the userpassword attribute
> (unixuserpassword in AD) and  my test_shadow test would give:
> ./test_shadow markus
> passwd: name=markus
> passwd: passwd=1c8n1k6cGDbSo
> passwd: uid=500
> passwd: gid=10000
> passwd: gecos=Markus Moeller
> passwd: homedir=/export/home/markus
> passwd: shell=/bin/ksh
>
>
> shadow: name=markus
> shadow: passwd=1c8n1k6cGDbSo
> shadow: lastchg=-1(Wed Dec 31 01:00:00 1969)
> shadow: min=-1
> shadow: max=-1
> shadow: warn=-1
> shadow: inactive=-1
> shadow: expire=-1(Wed Dec 31 01:00:00 1969)
>
> and if I understand the rfc right getpwnam should return x and not the
> password.

Right, but this is a configuration issue (the software would be RFC compliant 
in a more typical configuration).

Regards,
Buchan

[nssldap] Question about getspnam/getpwnam and ldap, Markus Moeller
- Re: [nssldap] Question about getspnam/getpwnam and ldap, Buchan Milne
  - Re: [nssldap] Question about getspnam/getpwnam and ldap, Markus Moeller
    - Re: [nssldap] Question about getspnam/getpwnam and ldap, Buchan Milne

Prev by Date: Re: [nssldap] Question about getspnam/getpwnam and ldap
Next by Date: [nssldap] Looking up users via username _or_ other attribute?
Previous by thread: Re: [nssldap] Question about getspnam/getpwnam and ldap
Next by thread: [nssldap] Looking up users via username _or_ other attribute?