ssha passwords in ldap not syncing about nsscache HOT 4 CLOSED

Comment #1 originally posted by jaqx0r on 2015-03-02T01:23:05.000Z:

What format are SSHA passwords in, i.e. how are they presented so we can identify them?

I am struggling to recall, but I think the reason is due to what format the PAM library can decrypt -- this output gets written to the shadow cache and then used by PAM to let you log in. If PAM supports SSHA, then this will be trivial to support.

from nsscache.

Comment #2 originally posted by jaqx0r on 2015-03-02T08:55:45.000Z:

http://www.openldap.org/faq/data/cache/347.html

"...{SHA} and {SSHA} are RFC 2307 passwords schemes which use the SHA1
secure hash algorithm. The {SSHA} is the seeded varient..."

{SSHA} is default scheme used by slappasswd and so my users all have
SSHA passwords stored in LDAP.

It looks like the PAM library can not decrypt SSHA. According to the
crypt(3) man page the supported encryption methods are:

1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)

Damn. So all users must reenter their passwords if I use nsscache for
the passwords too.

from nsscache.

Comment #3 originally posted by jaqx0r on 2015-03-03T01:25:10.000Z:

Primarily, nsscache is designed for synchronising the NSS databases, not PAM, so I recommend that you continue accessing yoru LDAP directory via PAM for authentication and use nsscache for the nameservice lookups as a complement to each other.

from nsscache.

Comment #4 originally posted by jaqx0r on 2015-03-03T07:55:27.000Z:

OK, thank you. I will use nsscache for nameservices and do pam auth with
libpam-ldap or libpam-ldapd.

from nsscache.