Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
LDAP: password sync is broken
See original GitHub issueImpacted versions
- OS Type: Debian
- OS Version: bullseye 11.4
- Database Type: MySQL / MariaDB
- Database version: 10.5.15
- Modoboa: 2.0.1
- installer used: yes
- Webserver: nginx
Steps to reproduce
- have openldap / slapd installation (i can certainly get more info on this, but i was only tasked with fixing the issue and have not yet much fiddled with slapd config) the important point is: slapd must automatically encrypt new userPasswords if it thinks the hash type is unknown
- install modoboa
- configure ldap connection
- use modoboa to change users password
Current behavior
there are two issues we were able to identify:
1. modoboa does not send password hashing scheme to ldap-server
TL;DR: modoboa sends $6$rounds=70000$... to ldap server instead of {SHA512-CRYPT}$6$rounds=70000$...
we were able to capture this with tcpdump. when modoboa sends password to ldap https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L119 we always found it only sends the actual hash starting with $6$rounds=70000$...
2. ldap does only understand “{CRYPT}”
TL;DR: modoboa sends {SHA512-CRYPT}$6$rounds=70000$... to ldap server instead of {CRYPT}$6$rounds=70000$...
the second issue is with slapd only supporting {CRYPT} as a scheme. it can understand, operate and generate multiple different hash types (like $1$, $5$, and $6$) but this is controlled only by the actual hash, not the scheme prefix.
these do not work: {SHA256-CRYPT} {SHA512-CRYPT} {BLF-CRYPT} but their hashes work if stored in userPassword field in LDAP with {CRYPT} as prefix.
Expected behavior
included in “Current behavior” section
Possible fixes:
1. modoboa does not send password hashing scheme to ldap-server
the update_ldap_account function uses get_user_password from that same file https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L50. we identified an issue in line https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L56 which prevents the scheme from being sent if the accounts is not disabled.
i fixed it by adding parentheses around the disabled check (see: https://github.com/modoboa/modoboa/commit/53dd6c7502d8f8aeb81c8e4caec13a065e92f172)
afterwards tcpdump showed the correct full hash with scheme prepended (i.e. {SHA512-CRYPT}$6$rounds=70000$...)
2. ldap does only understand “{CRYPT}”
to fix this issue, i added “LDAP_DROP_SCHEME_PREFIX”“LDAP_DROP_CRYPT_PREFIX” to settings.py and a check in get_user_password which sets scheme to “{CRYPT” when this option is set. (see: https://github.com/modoboa/modoboa/commit/7432877c3429a0f8bc3d8084b3e00eee7887a0f5)
we verified it working with tcpdump which now showed correct updates to userPassword with full hash like {CRYPT}$6$rounds=70000$...
sadly i am not very good with python and was unable to find where to “declare” that new option for the generated settings.py so this needs to be added by s/o else.
Issue Analytics
- State:
- Created a year ago
- Comments:6
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
thanks for pointing that one out. i fixed it in the opening post.
@tonioo you marked this issue with “feedback-needed”. what additional feedback do you need to process this further? or is there something else i can do to move this forward?