[Pkg-openldap-devel] Bug#444172: Bug#444172: slapd: accepts incorrect passwords
Quanah Gibson-Mount
quanah at zimbra.com
Thu Sep 27 23:52:29 UTC 2007
--On Thursday, September 27, 2007 10:45 PM +0200 Paweł Pałucha
<pawel at praterm.com.pl> wrote:
> Quanah Gibson-Mount wrote:
>
>>> I'm able to reproduce it using just ldapsearch:
>>>
>>> ldapsearch -b 'ou=People,dc=praterm,dc=pl' -D \
>>> 'uid=pawel,ou=People,dc=praterm,dc=pl' -x -W
>>>
>>> It asks for password and accepts antything that starts with correct
>>> password.
>>
>> Right, I can't reproduce it using ldapsearch when the {CRYPT} password
>> is generated by slappasswd.
>>
>> Can you send me the userPassword value for one of your entries that has
>> the "1234" password? I can use that value in my DB directly then.
>
> I discovered one more thing - it does not work for password shorter than
> 8 characters. However it works for 8, 9, 10 and 12 - I haven't try more.
Welcome to the wonderful world of crypt. This is a known limitation of
using crypt passwords, which only check the first 8 characters. This is
why it is recommended to use SSHA type password hashes. I suggest this bug
report be closed.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the Pkg-openldap-devel
mailing list