1

Topic: Users cannot login to selfservice

==== Required information ====
- iRedMail version:  0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: CentOS 7
- Related log if you're reporting an issue:
====

Hi!

I installed new server since I wonna migrate from Centos6 to CentOS7 .... I installed iredMail, iredAdminProLDAP latest version... and using ApacheDirectory studio I export Groups, Aliases, and Users..... then edited users and remove postmaster since new is created.... import them to new server with no errors, .... applyed updateLDAPValues_087_to_090.py .... and with rsync I copyed users mails from /var/vmail/vmail1/....

Mail is working, roundcube also...

BUT !!!
On iredadmin panel only postmaster can login .... no any other user ... except if I create user from iredadmin....

Than I realised....postmaster have password stored as ssha ..... all other user as sha .....

Is there any error ? ..... or how to use SHA passwords for login to iRedAdmin panel ?!? or to convert them to SSHA ?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Users cannot login to selfservice

iRedAdmin-Pro doesn't support SHA by default, you have to use one of MD5 (either salted or plain-MD5), SSHA, SSHA512, BCRYPT, or plain password.

May i know how you generate SHA password? and is it possible to give me one SHA password with its plain password? I will test it and create a patch for iRedAdmin-Pro to support SHA.

3 (edited by kmihalj 2015-01-22 16:56:25)

Re: Users cannot login to selfservice

I have another LDAP which I cannot modify since it is monitored and under special supervision and is part of certification, so it must be untouched so I cannot add iRedMail schemas.... but in that ldap are all users (I work at colledge .... cca 350 employees and cca 10000 students).

I sync users in that LDAP with LDAP from iredmail using cron job (I post stript in topic Sync mail users with another LDAP server

In attachments is .LDIF exports for user "test123@efzg.hr" with password "Test123." (dot at the end)
One is with SSHA password created with iRedAdmin, ... and another is with same password but with SHA password....
Exports are from old server (iRedMail 0.8.7 and iRedAdminPro 2.1.2).
Mail is working with both passwords ... If user is admin it can login to old iRedAdmin Pro 2.1.2 .... (iRedMail 0.8.7)

On new server with iRedMail 0.9.0 and iRedAdmin Pro 2.2.1 mail is working with both passwords, ... but iRedAdminPro with SHA password give "Error: Username or password is incorrect." so only postmaster can login to Pro panel .... no any other users and also no any other admin cannot login.

Old server is with CentOS6 and new one is with CentOS7

and here is ldapsearch with SSHA

[root@iredmail ~]# ldapsearch -H ldap://172.16.0.105:389 -x -D "cn=Manager,dc=efzg,dc=hr" -w "password_hidden" -b "dc=efzg,dc=hr" uid=test123 "uid" "userPassword" "givenName" "sn"
# extended LDIF
#
# LDAPv3
# base <dc=efzg,dc=hr> with scope subtree
# filter: uid=test123
# requesting: uid userPassword givenName sn 
#

# test123@efzg.hr, Users, efzg.hr, domains, efzg.hr
dn: mail=test123@efzg.hr,ou=Users,domainName=efzg.hr,o=domains,dc=efzg,dc=hr
userPassword:: e1NTSEF9MTJoUkY3QlpEQ2UxdnNkM21YOXFyMlBrSCtXK0kyRU9YRXhsM0E9PQ=
 =
sn: test123
uid: test123

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@iredmail ~]# ldapsearch -H ldap://172.16.0.105:389 -x -D "cn=Manager,dc=efzg,dc=hr" -w "password_hidden" -b "dc=efzg,dc=hr" uid=test123 "uid" "userPassword" "givenName" "sn" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;binmode(STDOUT, ":utf8");print'
# extended LDIF
#
# LDAPv3
# base <dc=efzg,dc=hr> with scope subtree
# filter: uid=test123
# requesting: uid userPassword givenName sn 
#

# test123@efzg.hr, Users, efzg.hr, domains, efzg.hr
dn: mail=test123@efzg.hr,ou=Users,domainName=efzg.hr,o=domains,dc=efzg,dc=hr
userPassword:: {SSHA}12hRF7BZDCe1vsd3mX9qr2PkH+W+I2EOXExl3A==
sn: test123
uid: test123

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

And here is same data but with SHA password

[root@iredmail ~]# ldapsearch -H ldap://172.16.0.105:389 -x -D "cn=Manager,dc=efzg,dc=hr" -w "password_hidden" -b "dc=efzg,dc=hr" uid=test123 "uid" "userPassword" "givenName" "sn"
# extended LDIF
#
# LDAPv3
# base <dc=efzg,dc=hr> with scope subtree
# filter: uid=test123
# requesting: uid userPassword givenName sn 
#

# test123@efzg.hr, Users, efzg.hr, domains, efzg.hr
dn: mail=test123@efzg.hr,ou=Users,domainName=efzg.hr,o=domains,dc=efzg,dc=hr
sn: test123
uid: test123
userPassword:: e3NoYX0wK0J3MHlxR3BzS3IrL2I0aVZLT1ZxUFpuWXc9

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@iredmail ~]# ldapsearch -H ldap://172.16.0.105:389 -x -D "cn=Manager,dc=efzg,dc=hr" -w "password_hidden" -b "dc=efzg,dc=hr" uid=test123 "uid" "userPassword" "givenName" "sn" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;binmode(STDOUT, ":utf8");print'
# extended LDIF
#
# LDAPv3
# base <dc=efzg,dc=hr> with scope subtree
# filter: uid=test123
# requesting: uid userPassword givenName sn 
#

# test123@efzg.hr, Users, efzg.hr, domains, efzg.hr
dn: mail=test123@efzg.hr,ou=Users,domainName=efzg.hr,o=domains,dc=efzg,dc=hr
sn: test123
uid: test123
userPassword:: {sha}0+Bw0yqGpsKr+/b4iVKOVqPZnYw=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Post's attachments

test123_SHA.ldif 1.18 kb, file has never been downloaded. 

test123_SSHA.ldif 1.2 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

4

Re: Users cannot login to selfservice

Dear kmihalj,

here's patch for iRedAdmin-Pro-LDAP-2.2.1, you can apply it and restart Apache service to load patched file. Let me know whether or not it works for you.

diff -r 0eed346da31f libs/iredpwd.py
--- a/libs/iredpwd.py    Thu Jan 22 00:50:51 2015 +0800
+++ b/libs/iredpwd.py    Thu Jan 22 22:18:10 2015 +0800
@@ -144,6 +144,8 @@
     """Verify salted MD5 password"""
     if challenge_password.startswith('{MD5}') or challenge_password.startswith('{md5}'):
         challenge_password = challenge_password[5:]
+    elif challenge_password.startswith('{CRYPT}') or challenge_password.startswith('{crypt}'):
+        challenge_password = challenge_password[7:]
 
     if not (challenge_password.startswith('$')
             and len(challenge_password) == 34
@@ -198,10 +200,13 @@
 
 
 def verify_ssha_password(challenge_password, plain_password):
-    """Verify SSHA (salted SHA) hash with or without prefix '{SSHA}'"""
+    """Verify SHA or SSHA (salted SHA) hash with or without prefix {SHA}, {SSHA}"""
     if challenge_password.startswith('{SSHA}') \
        or challenge_password.startswith('{ssha}'):
         challenge_password = challenge_password[6:]
+    elif challenge_password.startswith('{SHA}') \
+       or challenge_password.startswith('{sha}'):
+        challenge_password = challenge_password[5:]
 
     if not len(challenge_password) > 20:
         # Not a valid SSHA hash
@@ -349,7 +354,7 @@
     upwd = challenge_password.upper()
     if upwd.startswith('{SSHA}'):
         return verify_ssha_password(challenge_password, plain_password)
-    elif upwd.startswith('{SSHA512}'):
+    elif upwd.startswith('{SSHA512}') or upwd.startswith('{SHA}'):
         return verify_ssha512_password(challenge_password, plain_password)
     elif upwd.startswith('{PLAIN-MD5}'):
         return verify_plain_md5_password(challenge_password, plain_password)

Or, i can mail you a patched version of iRedAdmin-Pro-LDAP-2.2.1, you can upgrade running version to patched version with this tutorial (just one command):
http://www.iredmail.org/docs/migrate.or … admin.html

5 (edited by kmihalj 2015-01-22 22:52:34)

Re: Users cannot login to selfservice

ZhangHuangbin wrote:

Or, i can mail you a patched version of iRedAdmin-Pro-LDAP-2.2.1, you can upgrade running version to patched version with this tutorial (just one command):
http://www.iredmail.org/docs/migrate.or … admin.html

That would be nice .... you have my mail address smile

6

Re: Users cannot login to selfservice

Email sent. Let me know whether or not it works for you.

7 (edited by kmihalj 2015-01-22 23:31:54)

Re: Users cannot login to selfservice

Does not work....

I still get error: "Error: Username or password is incorrect."

8

Re: Users cannot login to selfservice

hmm, is it possible to let me login to your server for further debug?

9

Re: Users cannot login to selfservice

ZhangHuangbin wrote:

hmm, is it possible to let me login to your server for further debug?

I found error:

if upwd.startswith('{SSHA}'):
        return verify_ssha_password(challenge_password, plain_password)
    elif upwd.startswith('{SSHA512}') or upwd.startswith('{SHA}'):
        return verify_ssha512_password(challenge_password, plain_password)

sould be

if upwd.startswith('{SSHA}')  or upwd.startswith('{SHA}'):
        return verify_ssha_password(challenge_password, plain_password)
    elif upwd.startswith('{SSHA512}'):
        return verify_ssha512_password(challenge_password, plain_password)

and afther that change all is working smile

10

Re: Users cannot login to selfservice

You're right. sorry about my mistake. sad