[GH-ISSUE #2372] LDAP: Error in creating/updating userPassword #1583

New issue

Closed

opened 2026-02-27 11:17:56 +03:00 by kerem · 5 comments

kerem commented 2026-02-27 11:17:56 +03:00

Owner

Copy link

Originally created by @alexcustos on GitHub (Oct 8, 2021).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/2372

Impacted versions

• OS Type: Ubuntu
• OS Version: 20.04
• Database Type: PostgreSQL
• Database version: 12
• Modoboa: 1.17.0
• installer used: Yes
• Webserver: Nginx

Steps to reproduce

# https://github.com/modoboa/modoboa/blob/master/modoboa/ldapsync/lib.py
if user.password:
        password = get_user_password(user, not user.is_active)
        ldif.append((ldap.MOD_REPLACE, "userPassword", password))

Current behavior

This is not how the password is supposed to be created/updated in LDAP. This code extracts the SHA512-CRYPT string and sends it to LDAP. I debugged it for a while, and force_bytes("plain_text_password") instead of the password variable does the job.

Expected behavior

I expect a proper password to be sent to LDAP to allow other clients to use it as well.

Originally created by @alexcustos on GitHub (Oct 8, 2021). Original GitHub issue: https://github.com/modoboa/modoboa/issues/2372 # Impacted versions * OS Type: Ubuntu * OS Version: 20.04 * Database Type: PostgreSQL * Database version: 12 * Modoboa: 1.17.0 * installer used: Yes * Webserver: Nginx # Steps to reproduce ``` # https://github.com/modoboa/modoboa/blob/master/modoboa/ldapsync/lib.py if user.password: password = get_user_password(user, not user.is_active) ldif.append((ldap.MOD_REPLACE, "userPassword", password)) ``` # Current behavior This is not how the password is supposed to be created/updated in LDAP. This code extracts the SHA512-CRYPT string and sends it to LDAP. I debugged it for a while, and `force_bytes("plain_text_password")` instead of the `password` variable does the job. # Expected behavior I expect a proper password to be sent to LDAP to allow other clients to use it as well.

kerem 2026-02-27 11:17:56 +03:00

• closed this issue
• added the
  stale
  label

kerem commented 2026-02-27 11:17:56 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 14, 2021):

Plain text password is not available in the database and OpenLDAP (at least) is supposed to understand the way password are stored in modoboa because we use the same format...

<!-- gh-comment-id:943067131 --> @tonioo commented on GitHub (Oct 14, 2021): Plain text password is not available in the database and OpenLDAP (at least) is supposed to understand the way password are stored in modoboa because we use the same format...

kerem commented 2026-02-27 11:17:56 +03:00

Author

Owner

Copy link

@alexcustos commented on GitHub (Oct 14, 2021):

Plain text password is not available in the database

Not far from the LDAP sync handler, there's a raw_value variable (core/models.py). It looks like a raw password that can be passed down to the handler. I guess it's how it's supposed to work. Otherwise, LDAP synchronization doesn't make any sense. Modoboa can authenticate against Plain and SSHA hashed passwords in LDAP but saves back gibberish.

<!-- gh-comment-id:943300091 --> @alexcustos commented on GitHub (Oct 14, 2021): > Plain text password is not available in the database Not far from the LDAP sync handler, there's a `raw_value` variable (`core/models.py`). It looks like a raw password that can be passed down to the handler. I guess it's how it's supposed to work. Otherwise, LDAP synchronization doesn't make any sense. Modoboa can authenticate against Plain and SSHA hashed passwords in LDAP but saves back gibberish.

kerem commented 2026-02-27 11:17:56 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 19, 2021):

The raw value you're talking about is only available when you set a new password. When do you any other kind of modification, then we don't have it. Could it be possible that your LDAP tries to hash the password sent by modoboa once again?

<!-- gh-comment-id:946591882 --> @tonioo commented on GitHub (Oct 19, 2021): The raw value you're talking about is only available when you set a new password. When do you any other kind of modification, then we don't have it. Could it be possible that your LDAP tries to hash the password sent by modoboa once again?

kerem commented 2026-02-27 11:17:56 +03:00

Author

Owner

Copy link

@alexcustos commented on GitHub (Oct 19, 2021):

The raw value you're talking about is only available when you set a new password.

But what needs to update passwords otherwise? The use case is simple. I want Modoboa to maintain LDAP users that I can use to auth to Nextcloud, for example. In other words, when I create a new user or update its password, I expect Modoboa to sync the provided passwords with LDAP.

Could it be possible that your LDAP tries to hash the password sent by modoboa once again?

Sure, LDAP hashes passwords with SSHA or writes them as Plain text, depending on the settings, but that's not the problem. Why would anyone want to teach external services to authenticate with Modoboa hash instead of the password itself?

<!-- gh-comment-id:946795815 --> @alexcustos commented on GitHub (Oct 19, 2021): > The raw value you're talking about is only available when you set a new password. But what needs to update passwords otherwise? The use case is simple. I want Modoboa to maintain LDAP users that I can use to auth to Nextcloud, for example. In other words, when I create a new user or update its password, I expect Modoboa to sync the provided passwords with LDAP. > Could it be possible that your LDAP tries to hash the password sent by modoboa once again? Sure, LDAP hashes passwords with SSHA or writes them as Plain text, depending on the settings, but that's not the problem. Why would anyone want to teach external services to authenticate with Modoboa hash instead of the password itself?

kerem commented 2026-02-27 11:17:56 +03:00

Author

Owner

Copy link

@stale[bot] commented on GitHub (Dec 18, 2021):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

<!-- gh-comment-id:997220334 --> @stale[bot] commented on GitHub (Dec 18, 2021): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix/sievefilters-allow-email-in-rule-name

dependabot/npm_and_yarn/frontend/axios-1.15.0

translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP

translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP

fix/login-issue-3995

fix/sievefilters-issues

add-vitepress-openapi

2974-dmarc-empty-email

2.3.x

updated-doc-2.3.0

feature/OIDC

delete-all-alarms

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca

1.x

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK

1.8.x

1.7.x

1.6.x

1.4.x

1.3.x

1.2.x

2.8.2

2.8.1

2.8.0

2.7.2

2.7.1

2.7.0

2.6.5

2.6.4

2.6.3

2.6.2

2.6.1

2.6.0

2.5.1

2.5.0

2.4.11

2.4.10

2.4.9

2.4.8

2.4.7

2.4.6

2.4.5

2.4.4

2.4.3

2.4.2

2.4.1

2.4.0

2.3.6

2.3.5

2.3.4

2.3.3

2.3.2

2.3.1

2.3.0

2.3.0-beta.4

2.3.0-beta.3

2.3.0-beta.2

2.3.0-beta.1

2.2.4

2.2.3

2.2.2

2.2.1

2.2.0

2.1.2

2.1.1

2.1.0

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.1

1.17.0

1.16.1

1.16.0

1.15.0

1.14.0

1.13.1

1.13.0

1.12.2

1.12.1

1.12.0

1.11.1

1.11.0

1.10.7

1.10.6

1.10.5

1.10.4

1.10.3

1.10.2

1.10.1

1.10.0

1.9.1

1.9.0

1.8.3

1.8.2

1.8.1

1.8.0

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.5

1.3.4

1.2.2

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.2.0-rc2

1.2.0-rc1

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.1

1.0.0

0.9.5

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.8

0.8.7

0.8.6.1

0.8.6

0.8.5

0.8.4

0.8.3

0.8.3-rc1

0.8.2

0.8.1

0.8

0.8-rc2

0.8-rc1

0.7.2

0.7.1

0.7

0.6.1

0.6

0.5

0.3

0.2

0.1

Labels

Clear labels   

bug

  

bug

  

dependencies

  

design

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

feedback-needed

  

help-needed

  

help-needed

  

installer

  

invalid

  

looking-for-sponsors

  

modoboa-contacts

  

new-ui

  

new-ui

  

pr

  

pull-request

Mirrored from GitHub Pull Request

  

pyconfr

  

python

  

question

  

security

  

stale

  

webmail

  

wontfix

No labels

bug

bug

dependencies

design

documentation

duplicate

enhancement

enhancement

enhancement

feedback-needed

help-needed

help-needed

installer

invalid

looking-for-sponsors

modoboa-contacts

new-ui

new-ui

pr

pull-request

pyconfr

python

question

security

stale

webmail

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/modoboa-modoboa#1583

No description provided.