How to enable SHA-1 on AIX LDAP clients - Aix

This is a discussion on How to enable SHA-1 on AIX LDAP clients - Aix ; I am trying to configure my LDAP directory to support encrypted password (longer than 8 characters). I have this working on the server. In the ibmslapd.conf file, it shows ibm-SlapdPwEncryption is set to SHA. Authentication works on this node. However, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: How to enable SHA-1 on AIX LDAP clients

  1. How to enable SHA-1 on AIX LDAP clients

    I am trying to configure my LDAP directory to support encrypted
    password (longer than 8 characters). I have this working on the
    server. In the ibmslapd.conf file, it shows ibm-SlapdPwEncryption is
    set to SHA. Authentication works on this node. However, I have not
    been able to determine how this
    should be configured on the client. Nothing in the documentation
    indicates how one would change this with "mksecldap -c" or other
    command line tools. There is no imbslapd.conf on the clients. It
    appears that the ldapmodify command is only for the server.

    Can anyone point me in the right direction?

    Thanks,
    Craig


  2. Re: How to enable SHA-1 on AIX LDAP clients


    ctierney42 wrote:
    > I am trying to configure my LDAP directory to support encrypted
    > password (longer than 8 characters). I have this working on the
    > server. In the ibmslapd.conf file, it shows ibm-SlapdPwEncryption is
    > set to SHA. Authentication works on this node. However, I have not
    > been able to determine how this
    > should be configured on the client. Nothing in the documentation
    > indicates how one would change this with "mksecldap -c" or other
    > command line tools. There is no imbslapd.conf on the clients. It
    > appears that the ldapmodify command is only for the server.
    >
    > Can anyone point me in the right direction?
    >
    > Thanks,
    > Craig


    part 2 of this redbook addresses clients

    http://www.redbooks.ibm.com/abstract...7165.html?Open

    other useful ldap links here

    http://www.google.com/search?hl=en&q...+%2B+%22aix%22


  3. Re: How to enable SHA-1 on AIX LDAP clients


    aixdude@yahoo.com wrote:
    > ctierney42 wrote:
    > > I am trying to configure my LDAP directory to support encrypted
    > > password (longer than 8 characters). I have this working on the
    > > server. In the ibmslapd.conf file, it shows ibm-SlapdPwEncryption is
    > > set to SHA. Authentication works on this node. However, I have not
    > > been able to determine how this
    > > should be configured on the client. Nothing in the documentation
    > > indicates how one would change this with "mksecldap -c" or other
    > > command line tools. There is no imbslapd.conf on the clients. It
    > > appears that the ldapmodify command is only for the server.
    > >
    > > Can anyone point me in the right direction?
    > >
    > > Thanks,
    > > Craig

    >
    > part 2 of this redbook addresses clients
    >
    > http://www.redbooks.ibm.com/abstract...7165.html?Open
    >
    > other useful ldap links here
    >
    > http://www.google.com/search?hl=en&q...+%2B+%22aix%22


    Thanks for the links. The first link (which I had but had not searched
    because
    I am not building a heterogeneous environment) had details to help.
    Part of the answer to my question was that we needed to configure the
    system for server-side authentication. According to the first link,
    that required changing auth_type from UNIX_AUTH to LDAP_AUTH.

    We made this change by hand in the /etc/security/ldap/ldap.cfg file as
    we found
    no documentation on how this may be changed using a command-line tool.

    After doing that and restarting both the client and the server (to be
    safe) we
    verified that the setting changed with ls-secldapcntld.

    However, it still doesn't work. Users with they passwords as {cyrpt}
    can authenticate,
    but those as {SHA} cannot. I do know that it is using SSL because we
    have
    blocked port 389 with the firewall (gov't security regulations).

    We have tried changing passwords from existing users and also creating
    new
    users to see if there was some quirk in the password settings. No
    luck.

    Any other suggestions?

    Thanks,
    Craig


+ Reply to Thread