Re: [nssldap] Question about getspnam/getpwnam and ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Question about getspnam/getpwnam and ldap
- From: Buchan Milne <bgmilne [at] mandriva.org>
- To: "Markus Moeller" <huaraz [at] moeller.plus.com>
- Cc: nssldap [at] padl.com, ldap-nis [at] padl.com
- Subject: Re: [nssldap] Question about getspnam/getpwnam and ldap
- Date: Fri, 11 Jan 2008 13:09:36 +0200
On Wednesday 09 January 2008 21:13:59 Markus Moeller wrote:
> The unixuserpassword attribute in AD does not use an encryption scheme
> identifier (but stores the crypt password). It has the same value as a
> "normal" /etc/shadow entry would have in the password field (e.g.
> 1c8n1k6cGDbSo).
>
> A getent shadow markus (with markus being an ldap user in AD) gives on
> Linux:
> markus:1c8n1k6cGDbSo:13565::::::
[...]
> A getent shadow does not work on OpenSolaris. But the below test program
> (using OpenSolaris native nss_ldap libraries) gives:
> ./test_shadow markus
> passwd: name=markus
> passwd: passwd=x
> passwd: uid=500
> passwd: gid=10000
> passwd: gecos=Markus Moeller
> passwd: homedir=/export/home/markus
> passwd: shell=/bin/ksh
>
>
> shadow: name=markus
> shadow: passwd=*NP*
> shadow: lastchg=-1(Wed Dec 31 01:00:00 1969)
> shadow: min=-1
> shadow: max=-1
> shadow: warn=-1
> shadow: inactive=-1
> shadow: expire=-1(Wed Dec 31 01:00:00 1969)
Your initial description (and the fact that you've sent the question to this
list) seemed to imply the nss_ldap behaviour was wrong.
>
> If I modify the unixuserpassword value in AD from 1c8n1k6cGDbSo to
> {crypt}1c8n1k6cGDbSo OpenSolaris gives:
> ./test_shadow markus
> passwd: name=markus
> passwd: passwd=x
> passwd: uid=500
> passwd: gid=10000
> passwd: gecos=Markus Moeller
> passwd: homedir=/export/home/markus
> passwd: shell=/bin/ksh
>
>
> shadow: name=markus
> shadow: passwd=1c8n1k6cGDbSo
> shadow: lastchg=-1(Wed Dec 31 01:00:00 1969)
> shadow: min=-1
> shadow: max=-1
> shadow: warn=-1
> shadow: inactive=-1
> shadow: expire=-1(Wed Dec 31 01:00:00 1969)
>
> and the checkpass succeeds too.
[...]
> My problem is now that AD does not have the {crypt} prefix and Solaris
> requires it and I wanted to understand if the RFC is the reason for
> requiring the {crypt} prefix. From how I read it is optional.
>
> At the end it may mean I have to use AD as a NIS server and not as an ldap
> server.
Alternatively, you may also consider using nss_ldap on Solaris.
> In my case the proxy user has access to the userpassword attribute
> (unixuserpassword in AD) and my test_shadow test would give:
> ./test_shadow markus
> passwd: name=markus
> passwd: passwd=1c8n1k6cGDbSo
> passwd: uid=500
> passwd: gid=10000
> passwd: gecos=Markus Moeller
> passwd: homedir=/export/home/markus
> passwd: shell=/bin/ksh
>
>
> shadow: name=markus
> shadow: passwd=1c8n1k6cGDbSo
> shadow: lastchg=-1(Wed Dec 31 01:00:00 1969)
> shadow: min=-1
> shadow: max=-1
> shadow: warn=-1
> shadow: inactive=-1
> shadow: expire=-1(Wed Dec 31 01:00:00 1969)
>
> and if I understand the rfc right getpwnam should return x and not the
> password.
Right, but this is a configuration issue (the software would be RFC compliant
in a more typical configuration).
Regards,
Buchan