Update slapd to use lutil_passwd() for both user and root passwords.

Remove MD5 and SHA1 options (both are now always on).  Rename
functions to be lutil_ instead of ldap_.
Create --enable-cleartext option.  Default is currently 'on'.

acconfig.h

@@ -151,15 +151,15 @@
 /* define this for ACL Group support */
 #undef SLAPD_ACLGROUPS
 
+/* define this for ClearText password support */
+#undef SLAPD_CLEARTEXT
+
 /* define this for crypt(3) password support */
 #undef SLAPD_CRYPT
 
 /* define this to use SLAPD LDBM backend */
 #undef SLAPD_LDBM
 
-/* define this for MD5 password support */
-#undef SLAPD_MD5
-
 /* define this to use SLAPD passwd backend */
 #undef SLAPD_PASSWD
 
@@ -169,9 +169,6 @@
 /* define this for Reverse Lookup support */
 #undef SLAPD_RLOOKUPS
 
-/* define this for SHA1 password support */
-#undef SLAPD_SHA1
-
 /* define this to use SLAPD shell backend */
 #undef SLAPD_SHELL
 

configure.in

@@ -67,9 +67,8 @@ dnl SLAPD OPTIONS
 AC_ARG_WITH(xxslapdoptions,[SLAPD Options:])
 OL_ARG_ENABLE(slapd,[  --enable-slapd	enable building slapd], yes)dnl
 OL_ARG_ENABLE(aclgroups,[    --enable-aclgroups	enable ACL group support], auto)dnl
+OL_ARG_ENABLE(cleartext,[    --enable-cleartext	enable cleartext passwords], yes)dnl
 OL_ARG_ENABLE(crypt,[    --enable-crypt	enable crypt(3) passwords], auto)dnl
-OL_ARG_ENABLE(md5,[    --enable-md5	enable MD5 passwords], auto)dnl
-OL_ARG_ENABLE(sha1,[    --enable-sha1	enable SHA1 passwords], auto)dnl
 OL_ARG_ENABLE(wrappers,[    --enable-wrappers	enable tcp wrapper support], no)dnl
 OL_ARG_ENABLE(phonetic,[    --enable-phonetic	enable phonetic/soundex], no)dnl
 OL_ARG_ENABLE(rlookups,[    --enable-rlookups	enable reverse lookups], auto)dnl
@@ -116,15 +115,6 @@ if test $ol_enable_slapd = no ; then
 	if test $ol_enable_aclgroups = yes ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable_aclgroups argument])
 	fi
-	if test $ol_enable_crypt = yes ; then
-		AC_MSG_WARN([slapd disabled, ignoring --enable_crypt argument])
-	fi
-	if test $ol_enable_md5 = yes ; then
-		AC_MSG_WARN([slapd disabled, ignoring --enable_md5 argument])
-	fi
-	if test $ol_enable_sha1 = yes ; then
-		AC_MSG_WARN([slapd disabled, ignoring --enable_sha1 argument])
-	fi
 	if test $ol_enable_wrappers = yes ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable_wrappers argument])
 	fi
@@ -149,9 +139,6 @@ if test $ol_enable_slapd = no ; then
 	ol_enable_shell=no
 	ol_enable_passwd=no
 	ol_enable_aclgroups=no
-	ol_enable_crypt=no
-	ol_enable_md5=no
-	ol_enable_sha1=no
 	ol_enable_wrappers=no
 	ol_enable_phonetic=no
 	ol_enable_rlookups=no
@@ -1134,11 +1121,8 @@ fi
 if test $ol_enable_crypt != no ; then
 	AC_DEFINE(SLAPD_CRYPT,1)
 fi
-if test $ol_enable_md5 != no ; then
-	AC_DEFINE(SLAPD_MD5,1)
-fi
-if test $ol_enable_sha1 != no ; then
-	AC_DEFINE(SLAPD_SHA1,1)
+if test $ol_enable_cleartext != no ; then
+	AC_DEFINE(SLAPD_CLEARTEXT,1)
 fi
 if test $ol_enable_phonetic != no ; then
 	AC_DEFINE(SLAPD_PHONETIC,1)

include/lutil.h

@@ -10,8 +10,8 @@ LDAP_BEGIN_DECL
 
 /* ISC Base64 Routines */
 /* base64.c */
-LDAP_F int b64_ntop LDAP_P((u_char const *, size_t, char *, size_t));
-LDAP_F int b64_pton LDAP_P((char const *, u_char *, size_t));
+LDAP_F int lutil_b64_ntop LDAP_P((u_char const *, size_t, char *, size_t));
+LDAP_F int lutil_b64_pton LDAP_P((char const *, u_char *, size_t));
 /* detach.c */
 LDAP_F void lutil_detach LDAP_P((int debug, int do_close));
 /* passwd.c */

include/lutil_md5.h

@@ -1,7 +1,7 @@
 /* See md5.c for explanation and copyright information.  */
 
-#ifndef _LDAP_MD5_H_
-#define _LDAP_MD5_H_
+#ifndef _LUTIL_MD5_H_
+#define _LUTIL_MD5_H_
 
 #include <ldap_cdefs.h>
 #include <ac/bytes.h>
@@ -19,33 +19,33 @@ LDAP_BEGIN_DECL
 typedef LDAP_UINT4 uint32;
 #endif
 
-struct ldap_MD5Context {
+struct lutil_MD5Context {
 	uint32 buf[4];
 	uint32 bits[2];
 	unsigned char in[64];
 };
 
-LDAP_F void ldap_MD5Init LDAP_P((
-	struct ldap_MD5Context *context));
+LDAP_F void lutil_MD5Init LDAP_P((
+	struct lutil_MD5Context *context));
 
-LDAP_F void ldap_MD5Update LDAP_P((
-	struct ldap_MD5Context *context,
+LDAP_F void lutil_MD5Update LDAP_P((
+	struct lutil_MD5Context *context,
 	unsigned char const *buf,
 	unsigned len));
 
-LDAP_F void ldap_MD5Final LDAP_P((
+LDAP_F void lutil_MD5Final LDAP_P((
 	unsigned char digest[16],
-	struct ldap_MD5Context *context));
+	struct lutil_MD5Context *context));
 
-LDAP_F void ldap_MD5Transform LDAP_P((
+LDAP_F void lutil_MD5Transform LDAP_P((
 	uint32 buf[4],
 	const unsigned char in[64]));
 
 /*
  * This is needed to make RSAREF happy on some MS-DOS compilers.
  */
-typedef struct ldap_MD5Context ldap_MD5_CTX;
+typedef struct lutil_MD5Context lutil_MD5_CTX;
 
 LDAP_END_DECL
 
-#endif /* _LDAP_MD5_H_ */
+#endif /* _LUTIL_MD5_H_ */

include/lutil_sha1.h

@@ -1,8 +1,8 @@
 /* This version is based on:
  *	$OpenBSD: sha1.h,v 1.8 1997/07/15 01:54:23 millert Exp $	*/
 
-#ifndef _LDAP_SHA1_H_
-#define _LDAP_SHA1_H_
+#ifndef _LUTIL_SHA1_H_
+#define _LUTIL_SHA1_H_
 
 #include <ldap_cdefs.h>
 #include <ac/bytes.h>
@@ -24,29 +24,29 @@ typedef struct {
     uint32 state[5];
     uint32 count[2];  
     unsigned char buffer[64];
-} ldap_SHA1_CTX;
+} lutil_SHA1_CTX;
   
-LDAP_F void ldap_SHA1Transform
+LDAP_F void lutil_SHA1Transform
 	LDAP_P((uint32 state[5], const unsigned char buffer[64]));
 
-LDAP_F void ldap_SHA1Init
-	LDAP_P((ldap_SHA1_CTX *context));
+LDAP_F void lutil_SHA1Init
+	LDAP_P((lutil_SHA1_CTX *context));
 
-LDAP_F void ldap_SHA1Update
-	LDAP_P((ldap_SHA1_CTX *context, const unsigned char *data, u_int len));
+LDAP_F void lutil_SHA1Update
+	LDAP_P((lutil_SHA1_CTX *context, const unsigned char *data, u_int len));
 
-LDAP_F void ldap_SHA1Final
-	LDAP_P((unsigned char digest[20], ldap_SHA1_CTX *context));
+LDAP_F void lutil_SHA1Final
+	LDAP_P((unsigned char digest[20], lutil_SHA1_CTX *context));
 
-LDAP_F char *ldap_SHA1End
-	LDAP_P((ldap_SHA1_CTX *, char *));
+LDAP_F char *lutil_SHA1End
+	LDAP_P((lutil_SHA1_CTX *, char *));
 
-LDAP_F char *ldap_SHA1File
+LDAP_F char *lutil_SHA1File
 	LDAP_P((char *, char *));
 
-LDAP_F char *ldap_SHA1Data
+LDAP_F char *lutil_SHA1Data
 	LDAP_P((const unsigned char *, size_t, char *));
 
 LDAP_END_DECL
 
-#endif /* _LDAP_SHA1_H_ */
+#endif /* _LUTIL_SHA1_H_ */

include/portable.h.in

@@ -240,15 +240,15 @@ is provided ``as is'' without express or implied warranty.
 /* define this for ACL Group support */
 #undef SLAPD_ACLGROUPS
 
+/* define this for ClearText password support */
+#undef SLAPD_CLEARTEXT
+
 /* define this for crypt(3) password support */
 #undef SLAPD_CRYPT
 
 /* define this to use SLAPD LDBM backend */
 #undef SLAPD_LDBM
 
-/* define this for MD5 password support */
-#undef SLAPD_MD5
-
 /* define this to use SLAPD passwd backend */
 #undef SLAPD_PASSWD
 
@@ -258,9 +258,6 @@ is provided ``as is'' without express or implied warranty.
 /* define this for Reverse Lookup support */
 #undef SLAPD_RLOOKUPS
 
-/* define this for SHA1 password support */
-#undef SLAPD_SHA1
-
 /* define this to use SLAPD shell backend */
 #undef SLAPD_SHELL
 

libraries/liblutil/base64.c

@@ -127,7 +127,7 @@ static const char Pad64 = '=';
    */
 
 int
-b64_ntop(
+lutil_b64_ntop(
 	u_char const *src,
 	size_t srclength,
 	char *target,
@@ -198,7 +198,7 @@ b64_ntop(
  */
 
 int
-b64_pton(
+lutil_b64_pton(
 	char const *src,
 	u_char *target, 
 	size_t targsize)

libraries/liblutil/md5.c

@@ -65,7 +65,7 @@ putu32( uint32 data, unsigned char *addr )
  * initialization constants.
  */
 void
-ldap_MD5Init( struct ldap_MD5Context *ctx )
+lutil_MD5Init( struct lutil_MD5Context *ctx )
 {
 	ctx->buf[0] = 0x67452301;
 	ctx->buf[1] = 0xefcdab89;
@@ -81,8 +81,8 @@ ldap_MD5Init( struct ldap_MD5Context *ctx )
  * of bytes.
  */
 void
-ldap_MD5Update(
-    struct ldap_MD5Context	*ctx,
+lutil_MD5Update(
+    struct lutil_MD5Context	*ctx,
     const unsigned char		*buf,
     unsigned int		len
 )
@@ -109,7 +109,7 @@ ldap_MD5Update(
 			return;
 		}
 		memcpy(p, buf, t);
-		ldap_MD5Transform(ctx->buf, ctx->in);
+		lutil_MD5Transform(ctx->buf, ctx->in);
 		buf += t;
 		len -= t;
 	}
@@ -118,7 +118,7 @@ ldap_MD5Update(
 
 	while (len >= 64) {
 		memcpy(ctx->in, buf, 64);
-		ldap_MD5Transform(ctx->buf, ctx->in);
+		lutil_MD5Transform(ctx->buf, ctx->in);
 		buf += 64;
 		len -= 64;
 	}
@@ -133,7 +133,7 @@ ldap_MD5Update(
  * 1 0* (64-bit count of bits processed, MSB-first)
  */
 void
-ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
+lutil_MD5Final( unsigned char *digest, struct lutil_MD5Context *ctx )
 {
 	unsigned count;
 	unsigned char *p;
@@ -153,7 +153,7 @@ ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
 	if (count < 8) {
 		/* Two lots of padding:  Pad the first block to 64 bytes */
 		memset(p, 0, count);
-		ldap_MD5Transform(ctx->buf, ctx->in);
+		lutil_MD5Transform(ctx->buf, ctx->in);
 
 		/* Now fill the next block with 56 bytes */
 		memset(ctx->in, 0, 56);
@@ -166,7 +166,7 @@ ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
 	putu32(ctx->bits[0], ctx->in + 56);
 	putu32(ctx->bits[1], ctx->in + 60);
 
-	ldap_MD5Transform(ctx->buf, ctx->in);
+	lutil_MD5Transform(ctx->buf, ctx->in);
 	putu32(ctx->buf[0], digest);
 	putu32(ctx->buf[1], digest + 4);
 	putu32(ctx->buf[2], digest + 8);
@@ -194,7 +194,7 @@ ldap_MD5Final( unsigned char *digest, struct ldap_MD5Context *ctx )
  * the data and converts bytes into longwords for this routine.
  */
 void
-ldap_MD5Transform( uint32 *buf, const unsigned char *inraw )
+lutil_MD5Transform( uint32 *buf, const unsigned char *inraw )
 {
 	register uint32 a, b, c, d;
 	uint32 in[16];
@@ -291,7 +291,7 @@ ldap_MD5Transform( uint32 *buf, const unsigned char *inraw )
 int
 main (int  argc, char **argv )
 {
-	struct ldap_MD5Context context;
+	struct lutil_MD5Context context;
 	unsigned char checksum[16];
 	int i;
 	int j;
@@ -304,9 +304,9 @@ main (int  argc, char **argv )
 	for (j = 1; j < argc; ++j)
 	{
 		printf ("MD5 (\"%s\") = ", argv[j]);
-		ldap_MD5Init (&context);
-		ldap_MD5Update (&context, argv[j], strlen (argv[j]));
-		ldap_MD5Final (checksum, &context);
+		lutil_MD5Init (&context);
+		lutil_MD5Update (&context, argv[j], strlen (argv[j]));
+		lutil_MD5Final (checksum, &context);
 		for (i = 0; i < 16; i++)
 		{
 			printf ("%02x", (unsigned int) checksum[i]);

libraries/liblutil/passwd.c

@@ -18,6 +18,7 @@
 #include "lutil.h"
 
 /*
+ * Return 0 if creds are good.
  */
 
 int
@@ -27,53 +28,58 @@ lutil_passwd(
 {
 
 	if (cred == NULL || passwd == NULL) {
-		return 0;
+		return -1;
 	}
 
 	if (strncasecmp(passwd, "{CRYPT}", sizeof("{CRYPT}") - 1) == 0 ) {
 		const char *p = passwd + (sizeof("{CRYPT}") - 1);
 
-		return( strcmp(p, crypt(cred, p)) != 0 );
+		return( strcmp(p, crypt(cred, p)) );
 
 	} else if (strncasecmp(passwd, "{MD5}", sizeof("{MD5}") - 1) == 0 ) {
-		ldap_MD5_CTX MD5context;
-		unsigned char MD5digest[20];
-		char base64digest[29];  /* ceiling(sizeof(input)/3) * 4 + 1 */
+		lutil_MD5_CTX MD5context;
+		unsigned char MD5digest[16];
+		char base64digest[25];  /* ceiling(sizeof(input)/3) * 4 + 1 */
 
 		const char *p = passwd + (sizeof("{MD5}") - 1);
 
-		ldap_MD5Init(&MD5context);
-		ldap_MD5Update(&MD5context,
+		lutil_MD5Init(&MD5context);
+		lutil_MD5Update(&MD5context,
 			       (const unsigned char *)cred, strlen(cred));
-		ldap_MD5Final(MD5digest, &MD5context);
+		lutil_MD5Final(MD5digest, &MD5context);
 
-		if ( b64_ntop(MD5digest, sizeof(MD5digest),
+		if ( lutil_b64_ntop(MD5digest, sizeof(MD5digest),
 			base64digest, sizeof(base64digest)) < 0)
 		{
 			return ( 1 );
 		}
 
-		return (strcmp(p, base64digest) != 0);
+		return( strcmp(p, base64digest) );
 
 	} else if (strncasecmp(passwd, "{SHA}",sizeof("{SHA}") - 1) == 0 ) {
-		ldap_SHA1_CTX SHA1context;
+		lutil_SHA1_CTX SHA1context;
 		unsigned char SHA1digest[20];
 		char base64digest[29];  /* ceiling(sizeof(input)/3) * 4 + 1 */
 		const char *p = passwd + (sizeof("{SHA}") - 1);
 
-		ldap_SHA1Init(&SHA1context);
-		ldap_SHA1Update(&SHA1context,
+		lutil_SHA1Init(&SHA1context);
+		lutil_SHA1Update(&SHA1context,
 				(const unsigned char *) cred, strlen(cred));
-		ldap_SHA1Final(SHA1digest, &SHA1context);
+		lutil_SHA1Final(SHA1digest, &SHA1context);
 
-		if (b64_ntop(SHA1digest, sizeof(SHA1digest),
+		if (lutil_b64_ntop(SHA1digest, sizeof(SHA1digest),
 			base64digest, sizeof(base64digest)) < 0)
 		{
-			return ( 0 );
+			return ( 1 );
 		}
 
-		return( strcmp(p, base64digest) != 0 );
+		return( strcmp(p, base64digest) );
 	}
 
-	return( strcmp(passwd, cred) != 0 );
+#ifdef SLAPD_CLEARTEXT
+	return( strcmp(passwd, cred) );
+#else
+	return( 1 );
+#endif
+
 }

libraries/liblutil/sha1.c

@@ -58,7 +58,7 @@
  * Hash a single 512-bit block. This is the core of the algorithm.
  */
 void
-ldap_SHA1Transform( uint32 *state, const unsigned char *buffer )
+lutil_SHA1Transform( uint32 *state, const unsigned char *buffer )
 {
     uint32 a, b, c, d, e;
     typedef union {
@@ -117,10 +117,10 @@ ldap_SHA1Transform( uint32 *state, const unsigned char *buffer )
 
 
 /*
- * ldap_SHA1Init - Initialize new context
+ * lutil_SHA1Init - Initialize new context
  */
 void
-ldap_SHA1Init( ldap_SHA1_CTX *context )
+lutil_SHA1Init( lutil_SHA1_CTX *context )
 {
 
     /* SHA1 initialization constants */
@@ -137,8 +137,8 @@ ldap_SHA1Init( ldap_SHA1_CTX *context )
  * Run your data through this.
  */
 void
-ldap_SHA1Update(
-    ldap_SHA1_CTX	*context,
+lutil_SHA1Update(
+    lutil_SHA1_CTX	*context,
     const unsigned char	*data,
     u_int		len
 )
@@ -151,9 +151,9 @@ ldap_SHA1Update(
     j = (j >> 3) & 63;
     if ((j + len) > 63) {
 	(void)memcpy(&context->buffer[j], data, (i = 64-j));
-	ldap_SHA1Transform(context->state, context->buffer);
+	lutil_SHA1Transform(context->state, context->buffer);
 	for ( ; i + 63 < len; i += 64)
-	    ldap_SHA1Transform(context->state, &data[i]);
+	    lutil_SHA1Transform(context->state, &data[i]);
 	j = 0;
     } else {
 	i = 0;
@@ -166,7 +166,7 @@ ldap_SHA1Update(
  * Add padding and return the message digest.
  */
 void
-ldap_SHA1Final( unsigned char *digest, ldap_SHA1_CTX *context )
+lutil_SHA1Final( unsigned char *digest, lutil_SHA1_CTX *context )
 {
     u_int i;
     unsigned char finalcount[8];
@@ -175,10 +175,10 @@ ldap_SHA1Final( unsigned char *digest, ldap_SHA1_CTX *context )
 	finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
 	 >> ((3-(i & 3)) * 8) ) & 255);	 /* Endian independent */
     }
-    ldap_SHA1Update(context, (unsigned char *)"\200", 1);
+    lutil_SHA1Update(context, (unsigned char *)"\200", 1);
     while ((context->count[0] & 504) != 448)
-	ldap_SHA1Update(context, (unsigned char *)"\0", 1);
-    ldap_SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
+	lutil_SHA1Update(context, (unsigned char *)"\0", 1);
+    lutil_SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
 
     if (digest) {
 	for (i = 0; i < 20; i++)
@@ -225,7 +225,7 @@ static char rcsid[] = "$OpenBSD: sha1hl.c,v 1.1 1997/07/12 20:06:03 millert Exp
 
 /* ARGSUSED */
 char *
-ldap_SHA1End( ldap_SHA1_CTX *ctx, char *buf )
+lutil_SHA1End( lutil_SHA1_CTX *ctx, char *buf )
 {
     int i;
     char *p = buf;
@@ -235,7 +235,7 @@ ldap_SHA1End( ldap_SHA1_CTX *ctx, char *buf )
     if (p == NULL && (p = malloc(41)) == NULL)
 	return 0;
 
-    ldap_SHA1Final(digest,ctx);
+    lutil_SHA1Final(digest,ctx);
     for (i = 0; i < 20; i++) {
 	p[i + i] = hex[digest[i] >> 4];
 	p[i + i + 1] = hex[digest[i] & 0x0f];
@@ -245,32 +245,32 @@ ldap_SHA1End( ldap_SHA1_CTX *ctx, char *buf )
 }
 
 char *
-ldap_SHA1File( char *filename, char *buf )
+lutil_SHA1File( char *filename, char *buf )
 {
     unsigned char buffer[BUFSIZ];
-    ldap_SHA1_CTX ctx;
+    lutil_SHA1_CTX ctx;
     int fd, num, oerrno;
 
-    ldap_SHA1Init(&ctx);
+    lutil_SHA1Init(&ctx);
 
     if ((fd = open(filename,O_RDONLY)) < 0)
 	return(0);
 
     while ((num = read(fd, buffer, sizeof(buffer))) > 0)
-	ldap_SHA1Update(&ctx, buffer, num);
+	lutil_SHA1Update(&ctx, buffer, num);
 
     oerrno = errno;
     close(fd);
     errno = oerrno;
-    return(num < 0 ? 0 : ldap_SHA1End(&ctx, buf));
+    return(num < 0 ? 0 : lutil_SHA1End(&ctx, buf));
 }
 
 char *
-ldap_SHA1Data( const unsigned char *data, size_t len, char *buf )
+lutil_SHA1Data( const unsigned char *data, size_t len, char *buf )
 {
-    ldap_SHA1_CTX ctx;
+    lutil_SHA1_CTX ctx;
 
-    ldap_SHA1Init(&ctx);
-    ldap_SHA1Update(&ctx, data, len);
-    return(ldap_SHA1End(&ctx, buf));
+    lutil_SHA1Init(&ctx);
+    lutil_SHA1Update(&ctx, data, len);
+    return(lutil_SHA1End(&ctx, buf));
 }

servers/slapd/back-ldbm/alias.c

@@ -112,7 +112,7 @@ char *derefDN ( Backend     *be,
 )
 {
   struct ldbminfo *li = (struct ldbminfo *) be->be_private;
-  char 	*matched;
+  char 	*matched = 0;
   char 	*newDN = NULL;
   int	depth, i;
   Entry 	*eMatched;

servers/slapd/back-ldbm/bind.c

@@ -13,21 +13,12 @@
 #include "back-ldbm.h"
 #include "proto-back-ldbm.h"
 
-#ifdef SLAPD_SHA1
-#include <lutil_sha1.h>
-#endif /* SLAPD_SHA1 */
-
-#ifdef SLAPD_MD5
-#include <lutil_md5.h>
-#endif /* SLAPD_MD5 */
-
 #include <lutil.h>
 
 #ifdef HAVE_KERBEROS
 extern int	krbv4_ldap_auth();
 #endif
 
-#ifdef SLAPD_CRYPT
 pthread_mutex_t crypt_mutex;
 
 static int
@@ -41,66 +32,19 @@ crypted_value_find(
 {
 	int     i;
 	for ( i = 0; vals[i] != NULL; i++ ) {
-		if ( syntax != SYNTAX_BIN && strncasecmp( "{CRYPT}",
-			vals[i]->bv_val, (sizeof("{CRYPT}") - 1 ) ) == 0 ) {
-				char *userpassword = vals[i]->bv_val + sizeof("{CRYPT}") - 1;
+		if ( syntax != SYNTAX_BIN ) {
+			int result;
+
 			pthread_mutex_lock( &crypt_mutex );
-				if (strcmp(userpassword, crypt(cred->bv_val,
-						userpassword)) == 0) {
+
+			result = lutil_passwd(
+				(char*) cred->bv_val,
+				(char*) vals[i]->bv_val);
+
 			pthread_mutex_unlock( &crypt_mutex );
-					return ( 0 );
-				}
-				pthread_mutex_unlock( &crypt_mutex );
-#ifdef SLAPD_MD5
-		} else if ( syntax != SYNTAX_BIN && strncasecmp( "{MD5}",
-			vals[i]->bv_val, (sizeof("{MD5}") - 1 ) ) == 0 ) {
-				ldap_MD5_CTX MD5context;
-				unsigned char MD5digest[20];
-				char base64digest[29]; 	/* ceiling(sizeof(input)/3) * 4 + 1 */
 
-				char *userpassword = vals[i]->bv_val + sizeof("{MD5}") - 1;
+			return result;
 
-				ldap_MD5Init(&MD5context);
-				ldap_MD5Update(&MD5context,
-					(unsigned char *) cred->bv_val,
-					strlen(cred->bv_val));
-				ldap_MD5Final(MD5digest, &MD5context);
-
-				if (b64_ntop(MD5digest, sizeof(MD5digest),
-					base64digest, sizeof(base64digest)) < 0)
-				{
-					return ( 1 );
-				}
-
-				if (strcmp(userpassword, base64digest) == 0) {
-					return ( 0 );
-				}
-#endif /* SLAPD_MD5 */
-#ifdef SLAPD_SHA1
-		} else if ( syntax != SYNTAX_BIN && strncasecmp( "{SHA}",
-			vals[i]->bv_val, (sizeof("{SHA}") - 1 ) ) == 0 ) {
-				ldap_SHA1_CTX SHA1context;
-				unsigned char SHA1digest[20];
-				char base64digest[29]; 	/* ceiling(sizeof(input)/3) * 4 + 1 */
-
-				char *userpassword = vals[i]->bv_val + sizeof("{SHA}") - 1;
-
-				ldap_SHA1Init(&SHA1context);
-				ldap_SHA1Update(&SHA1context,
-					(unsigned char *) cred->bv_val,
-					strlen(cred->bv_val));
-				ldap_SHA1Final(SHA1digest, &SHA1context);
-
-				if (b64_ntop(SHA1digest, sizeof(SHA1digest),
-					base64digest, sizeof(base64digest)) < 0)
-				{
-					return ( 1 );
-				}
-
-				if (strcmp(userpassword, base64digest) == 0) {
-					return ( 0 );
-				}
-#endif /* SLAPD_SHA1 */
 		} else {
                 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
                         return( 0 );
@@ -110,7 +54,6 @@ crypted_value_find(
 
 	return( 1 );
 }
-#endif /* SLAPD_CRYPT */
 
 int
 ldbm_back_bind(

servers/slapd/backend.c

@@ -208,11 +208,11 @@ be_isroot( Backend *be, char *dn )
 int
 be_isroot_pw( Backend *be, char *dn, struct berval *cred )
 {
-	if ( ! be_isroot( be, dn ) || be->be_rootpw == NULL ) {
+	if ( ! be_isroot( be, dn ) ) {
 		return( 0 );
 	}
 
-	return( strcmp( be->be_rootpw, cred->bv_val ) == 0 );
+	return( lutil_passwd( cred->bv_val, be->be_rootpw ) == 0 );
 }
 
 void