[Fedora-directory-users] userPassword is base64 encoded

Rich Megginson rmeggins at redhat.com
Wed Jun 8 02:58:46 UTC 2005 

Sævaldur Gunnarsson wrote:

> I posted the following on the samba-users mailing list:
> -- 
>
> I'm switching from OpenLDAP to the newly released Fedora Directory 
> Server (formely known as the Netscape Directory Server) as a LDAP 
> backend for my Samba domain.
>
> I'm now faced with a problem regarding how Fedora DS handles the 
> userPassword field.
> Unlike OpenLDAP it encodes it in base64 so instead of reading
> userPassword: {SSHA}8FZY4LdYi1f1oA5YgDw/+h/Rmy0mEeyO
> it reads:
> userPassword:: e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8=

I don't see this.  If I load the Example.ldif that comes with Fedora DS, 
I see the passwords like this:
./ldapsearch -p 7100 -s sub -b dc=example,dc=com -D "cn=directory 
manager" -w password  "objectclass=*" userpassword
dn: uid=scarter, ou=People, dc=example,dc=com
userpassword: {SSHA}pF9TERhOYiJNyGKCgJiqVCW+upjIv8LgVX/LKA==
 
dn: uid=tmorris, ou=People, dc=example,dc=com
userpassword: {SSHA}H+d/78HKXiAykaUG0sggTfD+AnITLQkBlmz7YA==
 
dn: uid=kvaughan, ou=People, dc=example,dc=com
userpassword: {SSHA}vvxSW0/+/i68xaIq+g0fKGmhTNaHHjwqNSR4Kw==

...

The orignal passwords are in ascii plaintext e.g.
dn: uid=scarter, ou=People, dc=example,dc=com
cn: Sam Carter
...
userpassword: sprain

Did you use some sort of migration utility to move your data from 
OpenLDAP to Fedora DS?  If so, do you still have the original LDIF that 
you imported into Fedora DS?  Does it have any extra spaces on the end 
of the userpassword lines?

>
> Samba apparently does not like this because when I try to change the 
> password using the "ctrl+alt+del -> Change Password" method I get the 
> following error in samba.log (with log level = passdb:5)
>
> -- cut here --
> [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
>   init_sam_from_ldap: Entry found for user: gg
> [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
>   init_sam_from_ldap: Entry found for user: gg
> [2005/06/07 19:27:45, 4] 
> passdb/pdb_ldap.c:ldapsam_update_sam_account(1704)
>   ldapsam_update_sam_account: user gg to be modified has dn: 
> uid=gg,ou=People,dc=kung,dc=foo
> [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_ldap_from_sam(893)
>   init_ldap_from_sam: Setting entry for user: gg
> [2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587)
>   ldapsam_modify_entry: LDAP Password could not be changed for user 
> gg: Unknown error
>         Current passwd must be supplied by the user.
>
> [2005/06/07 19:27:45, 0] 
> passdb/pdb_ldap.c:ldapsam_update_sam_account(1731)
>   ldapsam_update_sam_account: failed to modify user with uid = gg, 
> error: Current passwd must be supplied by the user.
>    (Success)
> [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
>   init_sam_from_ldap: Entry found for user: gg
> [2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(539)
>   decode_pw_buffer: incorrect password length (-988553355).
> [2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
>   decode_pw_buffer: check that 'encrypt passwords = yes'
> -- cut here --
>
> And a dialog from Windows that says:
> "The User name or old password is incorrect. Letters in passwords must 
> be typed using the correct case."
>
> The SambaNTPassword and SambaLMPassword entries change, but the 
> userPassword entry does not.
> I'm using the ldap passwd sync = Yes option in my smb.conf since the 
> LDAP server is used for Linux authentication as well as Samba 
> authentication.
>
> However, if I use the smbldap-passwd utility everything works like a 
> charm.
> Both the SambaLMPassword/SambaNTPassword and userPassword entries are 
> changed.
>
> If the ldap passwd sync option is set to No in the smb.conf then 
> Windows does not complain when I use ctrl+alt+del method, but then of 
> course the userPassword entry is not modified.
>
>
> The samba server is a RHEL4 machine with samba-3.0.10-1.4E and 
> fedora-ds-7.1-2.RHEL4.
> Output from ldapsearch of the user gg:
>
> --cut here --
> kung.foo.is /opt/fedora-ds/slapd-palladium/config/schema# ldapsearch 
> -x -ZZ -D "uid=gg,ou=People,dc=kung,dc=foo" -W uid=gg userPassword 
> SambaLMPassword SambaNTPassword
> Enter LDAP Password:
>
> # gg, People, kung.foo
> dn: uid=gg,ou=People,dc=kung,dc=foo
> userPassword:: e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8=
> SambaLMPassword: 7B9FBD79429286DBAAD3B435B51404EE
> SambaNTPassword: 2352D5C13878770724EA84A32EFCD485
> --cut here--
>
> Advice of how to correct this are greatly appreciated.
> -- 
>
> The reply I got back was that it was not a Samba problem but a FDS 
> problem.
> I guess I'm looking for a way to store the userPassword entry as a 
> regular entry and not a base64 encoded one.
> So any advice ?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050607/fb03e2df/attachment.bin>

More information about the Fedora-directory-users mailing list