Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    [solved] LDAP authentication method password - encryption?

    Kopano Groupware Core
    3
    4
    4699
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • sbauhaus
      sbauhaus last edited by sbauhaus

      Hello,

      I am trying to use Kopano Core with LDAP backend. If I use ldap_authentication_method = bind everything works correctly as long as the password is stored as plain text in openLDAP. As I would like to store the passwords encrypted I changed the authentication method to password.
      For testing I am using md5 as hashing algorithm, so for the user test2 there is a userPassword “{md5}6d2f5854b3d76c055485d2a87749ecd1” but on login Kopano says:
      [warning] Authentication by plugin failed for user “test2@testtest.de”: Trying to authenticate failed: wrong username or password

      This seems clear as I never told Kopano which hashing algorithm the password was stored in.
      So is there a static method in which Kopano tries to hash the password or am I able to set this to my needs?

      Thank you!

      Greetings
      Sebastian

      fbartels 1 Reply Last reply Reply Quote 0
      • fbartels
        fbartels Kopano @sbauhaus last edited by fbartels

        Hi @sbauhaus ,

        I don’t think this option is doing what you think it’s doing (from ‘man kopano-ldap.cfg’):

              ldap_authentication_method
           This value can be bind or password. When set to bind, the plugin
           will authenticate by opening a new connection to the LDAP server
           as the user with the given password. When set to password, the
           plugin will read and match the password field from the LDAP
           server itself. When set to password, the ldap_bind_user should
           have enough access rights to read the password field.

           Default for OpenLDAP: bind

           Default for ADS: bind

        In short encrypted passwords will also work with the bind option.

        Regards Felix

        Resources:
        https://kopano.com/blog/how-to-get-kopano/
        https://documentation.kopano.io/
        https://kb.kopano.io/

        Support overview:
        https://kopano.com/support/

        1 Reply Last reply Reply Quote 0
        • sbauhaus
          sbauhaus last edited by sbauhaus

          Hello @fbartels ,

          Thank you for pointing that out, I indeed misunderstood the option.
          Turns out that the way I hashed the password was wrong, the md5-hash has to be base64 encoded.

          In my php-script:
          wrong:

          $newmailbox["userpassword"] = "{MD5}" . md5($password_in_plaintext);

          correct:

          $newmailbox["userpassword"] = "{MD5}" . base64_encode(md5($password_in_plaintext, true));

          [edit]: Even better than storing md5 hashes:

          $salt = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',4)),0,4);
$newmailbox["userpassword"] = "{SSHA}" . base64_encode( sha1( $password_in_plaintext . $salt, true) . $salt );

          Source: https://stackoverflow.com/a/23924612

          Thank you, the issue is resolved!

          Greetings
          Sebastian

          1 Reply Last reply Reply Quote 0
          • MrManor
            MrManor last edited by

            Just for the record: From a security standpoint you should only allow as few services/daemons as possible access to the password stored in LDAP - encrypted or not. Kopano works perfectly well using LDAP bind - so imho there is no reason to allow Kopano access to the stored password.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post