Issue 38 in nsscache: ssha passwords in ldap not syncing

[nssc...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 38 by stemuede...@gmail.com: ssha passwords in ldap not syncing
https://code.google.com/p/nsscache/issues/detail?id=38

What steps will reproduce the problem?
1. sudo nsscache -v update -f


What is the expected output? What do you see instead?
expected is syncing my ssha passwords in ldap
I see instead:
INFO:root:Ignored password that was not in crypt format

What version of the product are you using? On what operating system?
version 0.23-2 ubuntu 64bit

Please provide any additional information below.
in ldapsource.py 641-644:

if passwd[:7].lower() == '{crypt}':
shadow_ent.passwd = passwd[7:]
else:
logging.info('Ignored password that was not in crypt format')


So nsscache allows only sync for crypt passwords. Is it possible to use
ssha passwords too?

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[nssc...@googlecode.com]

Comment #1 on issue 38 by j...@google.com: ssha passwords in ldap not
syncing
https://code.google.com/p/nsscache/issues/detail?id=38

What format are SSHA passwords in, i.e. how are they presented so we can
identify them?

I am struggling to recall, but I think the reason is due to what format the
PAM library can decrypt -- this output gets written to the shadow cache and
then used by PAM to let you log in. If PAM supports SSHA, then this will
be trivial to support.

[nssc...@googlecode.com]

Comment #2 on issue 38 by stemuede...@gmail.com: ssha passwords in ldap not
syncing
https://code.google.com/p/nsscache/issues/detail?id=38

http://www.openldap.org/faq/data/cache/347.html

"...{SHA} and {SSHA} are RFC 2307 passwords schemes which use the SHA1
secure hash algorithm. The {SSHA} is the seeded varient..."

{SSHA} is default scheme used by slappasswd and so my users all have
SSHA passwords stored in LDAP.

It looks like the PAM library can not decrypt SSHA. According to the
crypt(3) man page the supported encryption methods are:

1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)

Damn. So all users must reenter their passwords if I use nsscache for
the passwords too.

[nssc...@googlecode.com]

Updates:
Status: WontFix

Comment #3 on issue 38 by j...@google.com: ssha passwords in ldap not
syncing
https://code.google.com/p/nsscache/issues/detail?id=38

Primarily, nsscache is designed for synchronising the NSS databases, not
PAM, so I recommend that you continue accessing yoru LDAP directory via PAM
for authentication and use nsscache for the nameservice lookups as a
complement to each other.

[nssc...@googlecode.com]

Comment #4 on issue 38 by stemuede...@gmail.com: ssha passwords in ldap not
syncing
https://code.google.com/p/nsscache/issues/detail?id=38

OK, thank you. I will use nsscache for nameservices and do pam auth with
libpam-ldap or libpam-ldapd.