The example python code in customizing.html under the 
heading "Using an external password validation source" has a 
couple of bugs.

First, the script needs to import the os and crypt modules. I 
added the following as the first line of the script:

import os, crypt

 Second, the line

                return crypt.crypt(password, ent[1][:2]) == ent[1]

should be 

                return crypt.crypt(password, ent[1]) == ent[1]

Finally, to match better with the following example on "Using a 
UN*X passwd file as the user database", it would be best to use 
the same file name in both examples. I changed

        file = os.path.join(self.db.config.TRACKER_HOME, 
'passwd.txt')

to

        file = os.path.join(self.db.config.TRACKER_HOME, 
'users.passwd')

Logged In: YES 
user_id=6405

I've made all suggested changes except the invocation of crypt.crypt() 
 
The second argument to crypt() is the salt, which is always the first 2 
characters of a crypt()'ed password. That is, in: 
 
>>> import crypt 
>>> crypt.crypt('sekrit', 'aa') 
'aamzd3ZUREauc' 
>>> 
 
The "aa" is the salt, and forms the first two chars of the crypt()'ed 
password. Passing any additional chars has no effect: 
 
>>> crypt.crypt('sekrit', 'aamzd3ZUREauc') 
'aamzd3ZUREauc' 
>>> 
 
but is incorrect in terms of the length of the salt argument. 
 

Logged In: YES 
user_id=8719

are you aware of any crypt() implementation that does not
tolerate more than two characters in salt?

in FreeBSD, salt can take one of three forms:

 * DES extended format - 9 characters, starting from underscore.
 * modular crypt - starting with $digit$, up to 8 following
characters used for salt.
 * traditional crypt - salt length and use depends "upon the
algorithm for the hash.  For best results, specify at least
two characters of salt." [crypt(3)]

glibc2 (i.e. linux) implements MD5 passwords with salt
format same as in bsd modular crypt - up to 11 characters used.

Logged In: NO 

I'd rather stick with just two as that's guaranteed to work, and it's the length 
indicated in the Python Library Reference. 

Logged In: YES 
user_id=8719

could you point to PLR chapter restricting salt length to 2
characters, please?

chapter "8.4 crypt" reads: "This module implements an
interface to the crypt(3) routine".  this means that all
technical details such as salt length are specified in os
manual.  see below.

Logged In: YES 
user_id=118537

All I know is that authentication failed for me until I made the change. 
I checked back with the implementation I used under 0.6.2 and it had 
the same form for the call to crypt. My recollection is very hazy, but I 
seem to recall that it has to do with our NIS passwd map using MD5 
hashes or some-such, and crypt needing to look at the first few 
characters to decide what encryption algorithm is being used.

FWIW, here's an example from our NIS passwd map:

smb:$1$G03.BGF1$TIV.UDbDdTTumMsQoc6hg/:833:1001:Steve 
Byan:/home/smb:/bin/bash

Here's the pertinent part from the crypt man page on my SuSE SLES9 
system that's running my roundup instances:

GNU EXTENSION
       The glibc2 version of  this  function  has  the  following
       additional features.  If salt is a character string start­
       ing with the three characters "$1$" followed  by  at  most
       eight  characters,  and optionally terminated by "$", then
       instead of using the DES machine, the glibc crypt function
       uses  an  MD5-based algorithm, and outputs up to 34 bytes,
       namely "$1$<string>$", where "<string>" stands for the  up
       to  8  characters following "$1$" in the salt, followed by
       22 bytes chosen from the set  [a–zA–Z0–9./].   The  entire
       key  is  significant  here  (instead  of  only the first 8
       bytes).

       Programs using this function must be linked with  -lcrypt.


So in my case, I need to pass crypt at least 5 characters.