From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EEsPx-0006Ds-8q for garchives@archives.gentoo.org; Mon, 12 Sep 2005 17:48:33 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j8CHgbO2020189; Mon, 12 Sep 2005 17:42:37 GMT Received: from easycgi.com (mail.easycgi.com [66.245.177.160]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j8CHgasn024644 for ; Mon, 12 Sep 2005 17:42:36 GMT Received: from [68.89.14.73] (HELO grandpa) by easycgi.com (CommuniGate Pro SMTP 4.2.3) with ESMTP id 21227220 for gentoo-server@lists.gentoo.org; Mon, 12 Sep 2005 13:47:24 -0400 From: Robert Larson Organization: SixThings Inc. To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] LDAP password-hash and kerberos Date: Mon, 12 Sep 2005 12:46:59 -0500 User-Agent: KMail/1.8.1 References: <200509091107.02924.robert@sixthings.com> In-Reply-To: <200509091107.02924.robert@sixthings.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200509121246.59783.robert@sixthings.com> X-Archives-Salt: 994da39b-ffcb-425c-8cb9-9ddbb9304f72 X-Archives-Hash: 79e737fcbd6940176670a2f562372f9d > I have been experiencing problems with the recent openldap upgrade from 2.1 > branch to 2.2. I followed the directions in the ebuild as directed, and I > seem to be hung up on one (maybe 2) problem. The new version of openldap > doesn't seem to know what to do with this directive: > password-hash {CLEARTEXT} > > I changed the directive to {SSHA}, then re-followed the steps in the ebuild > for rebuilding the database. Everything seems to work fine for openldap > now, but I _was_ using it as the backend for kerberos authentication, and > kerberos doesn't like it at all: > kadmin -l > kadmin> list * > kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server > kadmin: kadm5_get_principals: Wrong database version Is this something I should post to an OpenLDAP list? The "password-hash {CLEARTEXT}" thing seems pretty standard, and is documented in openldap documentation and the man pages. I would find it hard to believe that it just became obsolete and I am the only one with problems. Also, perhaps I am looking at the problem wrong. Maybe it's an issue with kerberos in some way. I am a little short on my understanding of how kerberos passwords get hashed and stored in openldap, so maybe there is an answer there. I am using SASL and Heimdal kerberos. A search phrase on google, a direction, anything at this point would assist. Thank you for your time :) Robert -- gentoo-server@gentoo.org mailing list