modoboa icon indicating copy to clipboard operation
modoboa copied to clipboard

LDAP: password sync is broken

Open elgarfo opened this issue 3 years ago • 1 comments

Impacted versions

  • OS Type: Debian
  • OS Version: bullseye 11.4
  • Database Type: MySQL / MariaDB
  • Database version: 10.5.15
  • Modoboa: 2.0.1
  • installer used: yes
  • Webserver: nginx

Steps to reproduce

  1. have openldap / slapd installation (i can certainly get more info on this, but i was only tasked with fixing the issue and have not yet much fiddled with slapd config) the important point is: slapd must automatically encrypt new userPasswords if it thinks the hash type is unknown
  2. install modoboa
  3. configure ldap connection
  4. use modoboa to change users password

Current behavior

there are two issues we were able to identify:

1. modoboa does not send password hashing scheme to ldap-server

TL;DR: modoboa sends $6$rounds=70000$... to ldap server instead of {SHA512-CRYPT}$6$rounds=70000$...

we were able to capture this with tcpdump. when modoboa sends password to ldap https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L119 we always found it only sends the actual hash starting with $6$rounds=70000$...

2. ldap does only understand "{CRYPT}"

TL;DR: modoboa sends {SHA512-CRYPT}$6$rounds=70000$... to ldap server instead of {CRYPT}$6$rounds=70000$...

the second issue is with slapd only supporting {CRYPT} as a scheme. it can understand, operate and generate multiple different hash types (like $1$, $5$, and $6$) but this is controlled only by the actual hash, not the scheme prefix.

these do not work: {SHA256-CRYPT} {SHA512-CRYPT} {BLF-CRYPT} but their hashes work if stored in userPassword field in LDAP with {CRYPT} as prefix.

Expected behavior

included in "Current behavior" section

Possible fixes:

1. modoboa does not send password hashing scheme to ldap-server

the update_ldap_account function uses get_user_password from that same file https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L50. we identified an issue in line https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L56 which prevents the scheme from being sent if the accounts is not disabled.

i fixed it by adding parentheses around the disabled check (see: https://github.com/modoboa/modoboa/commit/53dd6c7502d8f8aeb81c8e4caec13a065e92f172)

afterwards tcpdump showed the correct full hash with scheme prepended (i.e. {SHA512-CRYPT}$6$rounds=70000$...)

2. ldap does only understand "{CRYPT}"

to fix this issue, i added "LDAP_DROP_SCHEME_PREFIX" to settings.py and a check in get_user_password which sets scheme to "{CRYPT" when this option is set. (see: https://github.com/modoboa/modoboa/commit/7432877c3429a0f8bc3d8084b3e00eee7887a0f5)

we verified it working with tcpdump which now showed correct updates to userPassword with full hash like {CRYPT}$6$rounds=70000$...

sadly i am not very good with python and was unable to find where to "declare" that new option for the generated settings.py so this needs to be added by s/o else.

elgarfo avatar Jul 21 '22 18:07 elgarfo

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 20 '22 16:09 stale[bot]

Hm, this seems to workaround/fix our modoboa<>ldap problems. Is nobody else having problems with this? Is anybody at least using modboa w/ ldap in production?

borisdigital avatar Sep 26 '22 10:09 borisdigital

Ok, i suppose, it should be "LDAP_DROP_CRYPT_PREFIX" in settings.py.

borisdigital avatar Oct 05 '22 15:10 borisdigital

thanks for pointing that one out. i fixed it in the opening post.

elgarfo avatar Oct 05 '22 15:10 elgarfo

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 12 '22 04:12 stale[bot]

@tonioo you marked this issue with "feedback-needed". what additional feedback do you need to process this further? or is there something else i can do to move this forward?

elgarfo avatar Dec 13 '22 16:12 elgarfo

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 11 '23 17:02 stale[bot]