starred/modoboa-modoboa

Fork 0

mirror of https://github.com/modoboa/modoboa.git synced 2026-04-27 18:05:58 +03:00

[GH-ISSUE #2569] LDAP: password sync is broken #1640

New issue

Closed

opened 2026-02-27 11:18:17 +03:00 by kerem · 7 comments

kerem commented

2026-02-27 11:18:17 +03:00

Owner

Originally created by @elgarfo on GitHub (Jul 21, 2022).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/2569

Impacted versions

OS Type: Debian
OS Version: bullseye 11.4
Database Type: MySQL / MariaDB
Database version: 10.5.15
Modoboa: 2.0.1
installer used: yes
Webserver: nginx

Steps to reproduce

have openldap / slapd installation
(i can certainly get more info on this, but i was only tasked with fixing the issue and have not yet much fiddled with slapd config)
the important point is: slapd must automatically encrypt new userPasswords if it thinks the hash type is unknown
install modoboa
configure ldap connection
use modoboa to change users password

Current behavior

there are two issues we were able to identify:

1. modoboa does not send password hashing scheme to ldap-server

TL;DR: modoboa sends $6$rounds=70000$... to ldap server instead of {SHA512-CRYPT}$6$rounds=70000$...

we were able to capture this with tcpdump. when modoboa sends password to ldap github.com/modoboa/modoboa@c263794784/modoboa/ldapsync/lib.py (L119) we always found it only sends the actual hash starting with $6$rounds=70000$...

2. ldap does only understand "{CRYPT}"

TL;DR: modoboa sends {SHA512-CRYPT}$6$rounds=70000$... to ldap server instead of {CRYPT}$6$rounds=70000$...

the second issue is with slapd only supporting {CRYPT} as a scheme. it can understand, operate and generate multiple different hash types (like $1$ , $5$ , and $6$ ) but this is controlled only by the actual hash, not the scheme prefix.

these do not work: {SHA256-CRYPT} {SHA512-CRYPT} {BLF-CRYPT}
but their hashes work if stored in userPassword field in LDAP with {CRYPT} as prefix.

Expected behavior

included in "Current behavior" section

Possible fixes:

1. modoboa does not send password hashing scheme to ldap-server

the update_ldap_account function uses get_user_password from that same file github.com/modoboa/modoboa@c263794784/modoboa/ldapsync/lib.py (L50). we identified an issue in line github.com/modoboa/modoboa@c263794784/modoboa/ldapsync/lib.py (L56) which prevents the scheme from being sent if the accounts is not disabled.

i fixed it by adding parentheses around the disabled check (see: github.com/modoboa/modoboa@53dd6c7502)

afterwards tcpdump showed the correct full hash with scheme prepended (i.e. {SHA512-CRYPT}$6$rounds=70000$...)

2. ldap does only understand "{CRYPT}"

to fix this issue, i added ~~"LDAP_DROP_SCHEME_PREFIX"~~"LDAP_DROP_CRYPT_PREFIX" to settings.py and a check in get_user_password which sets scheme to "{CRYPT" when this option is set. (see: github.com/modoboa/modoboa@7432877c34)

we verified it working with tcpdump which now showed correct updates to userPassword with full hash like {CRYPT}$6$rounds=70000$...

sadly i am not very good with python and was unable to find where to "declare" that new option for the generated settings.py so this needs to be added by s/o else.

Originally created by @elgarfo on GitHub (Jul 21, 2022). Original GitHub issue: https://github.com/modoboa/modoboa/issues/2569 # Impacted versions * OS Type: Debian * OS Version: bullseye 11.4 * Database Type: MySQL / MariaDB * Database version: 10.5.15 * Modoboa: 2.0.1 * installer used: yes * Webserver: nginx # Steps to reproduce 1. have openldap / slapd installation (i can certainly get more info on this, but i was only tasked with fixing the issue and have not yet much fiddled with slapd config) the important point is: slapd must automatically encrypt new userPasswords if it thinks the hash type is unknown 2. install modoboa 3. configure ldap connection 4. use modoboa to change users password # Current behavior there are two issues we were able to identify: ## 1. modoboa does not send password hashing scheme to ldap-server TL;DR: modoboa sends `$6$rounds=70000$...` to ldap server instead of `{SHA512-CRYPT}$6$rounds=70000$...` we were able to capture this with tcpdump. when modoboa sends password to ldap https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L119 we always found it only sends the actual hash starting with `$6$rounds=70000$...` ## 2. ldap does only understand "{CRYPT}" TL;DR: modoboa sends `{SHA512-CRYPT}$6$rounds=70000$...` to ldap server instead of `{CRYPT}$6$rounds=70000$...` the second issue is with slapd only supporting {CRYPT} as a scheme. it can understand, operate and generate multiple different hash types (like `$1$`, `$5$`, and `$6$`) but this is controlled only by the actual hash, not the scheme prefix. these do not work: {SHA256-CRYPT} {SHA512-CRYPT} {BLF-CRYPT} but their hashes work if stored in userPassword field in LDAP with {CRYPT} as prefix. # Expected behavior included in "Current behavior" section # Possible fixes: ## 1. modoboa does not send password hashing scheme to ldap-server the update_ldap_account function uses get_user_password from that same file https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L50. we identified an issue in line https://github.com/modoboa/modoboa/blob/c26379478445da5888bf05be0ba4cf98e20ea046/modoboa/ldapsync/lib.py#L56 which prevents the scheme from being sent if the accounts is not disabled. i fixed it by adding parentheses around the disabled check (see: https://github.com/modoboa/modoboa/commit/53dd6c7502d8f8aeb81c8e4caec13a065e92f172) afterwards tcpdump showed the correct full hash with scheme prepended (i.e. `{SHA512-CRYPT}$6$rounds=70000$...`) ## 2. ldap does only understand "{CRYPT}" to fix this issue, i added ~~"LDAP_DROP_SCHEME_PREFIX"~~"LDAP_DROP_CRYPT_PREFIX" to settings.py and a check in get_user_password which sets scheme to "{CRYPT" when this option is set. (see: https://github.com/modoboa/modoboa/commit/7432877c3429a0f8bc3d8084b3e00eee7887a0f5) we verified it working with tcpdump which now showed correct updates to userPassword with full hash like `{CRYPT}$6$rounds=70000$...` sadly i am not very good with python and was unable to find where to "declare" that new option for the generated settings.py so this needs to be added by s/o else.

kerem

2026-02-27 11:18:17 +03:00

closed this issue
added the
feedback-needed

stale
labels

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@stale[bot] commented on GitHub (Sep 20, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale[bot] commented on GitHub (Sep 20, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@borisdigital commented on GitHub (Sep 26, 2022):

Hm, this seems to workaround/fix our modoboa<>ldap problems. Is nobody else having problems with this? Is anybody at least using modboa w/ ldap in production?

@borisdigital commented on GitHub (Sep 26, 2022): Hm, this seems to workaround/fix our modoboa<>ldap problems. Is nobody else having problems with this? Is anybody at least using modboa w/ ldap in production?

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@borisdigital commented on GitHub (Oct 5, 2022):

Ok, i suppose, it should be "LDAP_DROP_CRYPT_PREFIX" in settings.py.

@borisdigital commented on GitHub (Oct 5, 2022): Ok, i suppose, it should be "LDAP_DROP_CRYPT_PREFIX" in settings.py.

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@elgarfo commented on GitHub (Oct 5, 2022):

thanks for pointing that one out. i fixed it in the opening post.

@elgarfo commented on GitHub (Oct 5, 2022): thanks for pointing that one out. i fixed it in the opening post.

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@stale[bot] commented on GitHub (Dec 12, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale[bot] commented on GitHub (Dec 12, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@elgarfo commented on GitHub (Dec 13, 2022):

@tonioo you marked this issue with "feedback-needed". what additional feedback do you need to process this further? or is there something else i can do to move this forward?

@elgarfo commented on GitHub (Dec 13, 2022): @tonioo you marked this issue with "feedback-needed". what additional feedback do you need to process this further? or is there something else i can do to move this forward?

kerem commented

2026-02-27 11:18:18 +03:00

Author

Owner

@stale[bot] commented on GitHub (Feb 11, 2023):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale[bot] commented on GitHub (Feb 11, 2023): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.