modoboa
LDAP: password sync is broken
Impacted versions
- OS Type: Debian
- OS Version: bullseye 11.4
- Database Type: MySQL / MariaDB
- Database version: 10.5.15
- Modoboa: 2.0.1
- installer used: yes
- Webserver: nginx
Steps to reproduce
- have openldap / slapd installation (i can certainly get more info on this, but i was only tasked with fixing the issue and have not yet much fiddled with slapd config) the important point is: slapd must automatically encrypt new userPasswords if it thinks the hash type is unknown
- install modoboa
- configure ldap connection
- use modoboa to change users password
Current behavior
there are two issues we were able to identify:
1. modoboa does not send password hashing scheme to ldap-server
TL;DR: modoboa sends $6$rounds=70000$... to ldap server instead of {SHA512-CRYPT}$6$rounds=70000$...
we were able to capture this with tcpdump. when modoboa sends password to ldap https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L119 we always found it only sends the actual hash starting with $6$rounds=70000$...
2. ldap does only understand "{CRYPT}"
TL;DR: modoboa sends {SHA512-CRYPT}$6$rounds=70000$... to ldap server instead of {CRYPT}$6$rounds=70000$...
the second issue is with slapd only supporting {CRYPT} as a scheme. it can understand, operate and generate multiple different hash types (like $1$, $5$, and $6$) but this is controlled only by the actual hash, not the scheme prefix.
these do not work: {SHA256-CRYPT} {SHA512-CRYPT} {BLF-CRYPT} but their hashes work if stored in userPassword field in LDAP with {CRYPT} as prefix.
Expected behavior
included in "Current behavior" section
Possible fixes:
1. modoboa does not send password hashing scheme to ldap-server
the update_ldap_account function uses get_user_password from that same file https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L50. we identified an issue in line https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L56 which prevents the scheme from being sent if the accounts is not disabled.
i fixed it by adding parentheses around the disabled check (see: https://github.com/modoboa/modoboa/commit/53dd6c7502d8f8aeb81c8e4caec13a065e92f172)
afterwards tcpdump showed the correct full hash with scheme prepended (i.e. {SHA512-CRYPT}$6$rounds=70000$...)
2. ldap does only understand "{CRYPT}"
to fix this issue, i added "LDAP_DROP_SCHEME_PREFIX" to settings.py and a check in get_user_password which sets scheme to "{CRYPT" when this option is set. (see: https://github.com/modoboa/modoboa/commit/7432877c3429a0f8bc3d8084b3e00eee7887a0f5)
we verified it working with tcpdump which now showed correct updates to userPassword with full hash like {CRYPT}$6$rounds=70000$...
sadly i am not very good with python and was unable to find where to "declare" that new option for the generated settings.py so this needs to be added by s/o else.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hm, this seems to workaround/fix our modoboa<>ldap problems. Is nobody else having problems with this? Is anybody at least using modboa w/ ldap in production?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
@tonioo you marked this issue with "feedback-needed". what additional feedback do you need to process this further? or is there something else i can do to move this forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.