Discussion:
OS X Yosemite clients
(too old to reply)
o***@mountainlake.k12.mn.us
2015-10-05 12:48:12 UTC
Permalink
Raw Message
Content preview: I have this problem resolved. It isn't related to the OpenLDAP
code at all, but has to do with the password formatting. What I found was
the passwords in OpenLDAP were in this format: {MD5}<base 64 encoded md5
digest><newline character> [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

I have this problem resolved. It isn't related to the OpenLDAP code at all,
but has to do with the password formatting.

What I found was the passwords in OpenLDAP were in this format:

{MD5}<base 64 encoded md5 digest><newline character>

The base64 encoder on the Linux server always adds a a newline character (\n)
to the end of the encoding. Multiple platforms have always ignored that character
until OS X 10.10.5. Simply removing the newline before inserting the encoded
password into the OpenLDAP database allows 10.10.5 and later to authenticate
against that password.

--
Jon
Michael Ströder
2015-10-06 06:54:50 UTC
Permalink
Raw Message
Post by o***@mountainlake.k12.mn.us
{MD5}<base 64 encoded md5 digest><newline character>
I wonder why people still use MD5 hashes - even un-salted.
Note that this is almost clear-text nowadays.

Ciao, Michael.

Loading...