Date: Tue, 30 Nov 2004 17:36:00 GMT
From: Cat Okita <cat@reptiles.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ports/74560: Ports openldap22-* library compilation order causes {crypt}md5 authentication to fail
Message-ID: <200411301736.iAUHa0MD025058@www.freebsd.org>
Resent-Message-ID: <200411301740.iAUHeO6F089052@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 74560
>Category: ports
>Synopsis: Ports openldap22-* library compilation order causes {crypt}md5 authentication to fail
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 30 17:40:23 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Cat Okita
>Release: 5.3-BETA5
>Organization:
Earthworks
>Environment:
FreeBSD rei.example.com 5.3-BETA5 FreeBSD 5.3-BETA5 #0: Wed Nov 10 15:27:06 EST 2004 root@rei.example.com:/usr/src/sys/i386/compile/REI i386
>Description:
Openldap uses the first available crypt() function when comparing passwords stored as {crypt}<foo>. As currently compiled (-lssl -lcrypto), the first available crypt() function is selected from openssl, which doesn't support md5 - and thus passwords will never match. Changing the compile order to (-lcrypto -lssl) resolves this isssue, and doesn't have any other affect.
>How-To-Repeat:
Compile openldap22-server 'out of the box' and import user passwords from FreeBSD's password file (the PADL scripts work), using "userPassword={CRYPT}[md5 hash]", which is the default setting. Anonymous bind and root bind searches will work - user-bound searches will fail with a "ldap_bind: Invalid credentials (49)" error.
>Fix:
Reverse the order of "-lssl -lcrypto" in the main Makefile.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411301736.iAUHa0MD025058>