Hi All,

I'm having a hell of a time trying to get Solaris 10 clients
authenticate against a Sun Java System Directory Server 5.2
installation when using SHA-encrypted passwords. All the documentation
I can find assumes that standard Unix crypt-format passwords are used.

When the password policy is set to use crypt, things work perfectly -
but if I change the password policy to use SHA encryption, it locks me
out. I can still bind to the server using tools like ldapsearch with
SHA passwords, it just seems to be the Solaris login mechanism that
refuses to work.

Is there anyway I can store passwords encrypted via SHA and
authenticate with Solaris 10, or am I stuck with standard Unix crypt
passwords and the 8-character limit ?

Thanks,

-Mark

Mark wrote:
> Hi All,
>
> I'm having a hell of a time trying to get Solaris 10 clients
> authenticate against a Sun Java System Directory Server 5.2
> installation when using SHA-encrypted passwords. All the documentation
> I can find assumes that standard Unix crypt-format passwords are used.
>
> When the password policy is set to use crypt, things work perfectly -
> but if I change the password policy to use SHA encryption, it locks me
> out. I can still bind to the server using tools like ldapsearch with
> SHA passwords, it just seems to be the Solaris login mechanism that
> refuses to work.
>
> Is there anyway I can store passwords encrypted via SHA and
> authenticate with Solaris 10, or am I stuck with standard Unix crypt
> passwords and the 8-character limit ?
>

You have to use pam_ldap to do authentication instead of pam_unix.

In /etc/pam.conf everywhere you see a line that looks like:
login auth required pam_unix_auth.so.1

You change it to the following two lines:
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 use_first_pass

Depending on how you have the ldapclient configured to connect to the
server (proxyagent or anonymous), you need to make changes to the
Directory Server so that pam_unix_auth cannot see the hashed password.

If you are using a proxyagent this is accomplished by removing the ACI
that is added by 'idsconfig' called:
LDAP_Naming_Services_proxy_password_read
which is normally applied to the top node of the DIT.

I assumed you were using either "simple" or "tls:simple" as your
authentication method, as with sasl/digest-md5 or sasl/cram-md5
you need to store passwords in the directory in cleartext.

Neal

> You have to use pam_ldap to do authentication instead of pam_unix.

Nice one - it's working a treat now.

Thanks,

-Mark