[solved] LDAP authentication method password - encryption?



  • Hello,

    I am trying to use Kopano Core with LDAP backend. If I use ldap_authentication_method = bind everything works correctly as long as the password is stored as plain text in openLDAP. As I would like to store the passwords encrypted I changed the authentication method to password.
    For testing I am using md5 as hashing algorithm, so for the user test2 there is a userPassword “{md5}6d2f5854b3d76c055485d2a87749ecd1” but on login Kopano says:
    [warning] Authentication by plugin failed for user "test2@testtest.de": Trying to authenticate failed: wrong username or password

    This seems clear as I never told Kopano which hashing algorithm the password was stored in.
    So is there a static method in which Kopano tries to hash the password or am I able to set this to my needs?

    Thank you!

    Greetings
    Sebastian


  • Kopano

    Hi @sbauhaus ,

    I don’t think this option is doing what you think it’s doing (from ‘man kopano-ldap.cfg’):

          ldap_authentication_method
               This value can be bind or password. When set to bind, the plugin
               will authenticate by opening a new connection to the LDAP server
               as the user with the given password. When set to password, the
               plugin will read and match the password field from the LDAP
               server itself. When set to password, the ldap_bind_user should
               have enough access rights to read the password field.
    
               Default for OpenLDAP: bind
    
               Default for ADS: bind
    

    In short encrypted passwords will also work with the bind option.



  • Hello @fbartels ,

    Thank you for pointing that out, I indeed misunderstood the option.
    Turns out that the way I hashed the password was wrong, the md5-hash has to be base64 encoded.

    In my php-script:
    wrong:

    $newmailbox["userpassword"] = "{MD5}" . md5($password_in_plaintext);
    

    correct:

    $newmailbox["userpassword"] = "{MD5}" . base64_encode(md5($password_in_plaintext, true));
    

    [edit]: Even better than storing md5 hashes:

    $salt = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',4)),0,4);
    $newmailbox["userpassword"] = "{SSHA}" . base64_encode( sha1( $password_in_plaintext . $salt, true) . $salt );
    

    Source: https://stackoverflow.com/a/23924612

    Thank you, the issue is resolved!

    Greetings
    Sebastian



  • Just for the record: From a security standpoint you should only allow as few services/daemons as possible access to the password stored in LDAP - encrypted or not. Kopano works perfectly well using LDAP bind - so imho there is no reason to allow Kopano access to the stored password.


Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.