1

Topic: LDAP multiple passwords?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I have a requirement to store multiple passwords for users (for instance mail and PPPOE passwords which we need to keep seperate, but the usernames are the same). I can manually add a second password to an account, but as soon as the user is updated using iRedAdmin the second password is removed.

Since userPassword is a multi-valued attribute is there a way to implement this, and ideally have the ability to create multiple passwords in the iRedAdmin interface the same way multi-valued attributes such as telephoneNumber are handled?

I realize this is not going to be a common requirement for most iRedMail users, but is there somewhere you could point me to alter the interface and update script to allow me to accomplish this?

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: LDAP multiple passwords?

It's offered by iRedAdmin-Pro, just add the password methods you want like below in iRedAdmin-Pro config file (/opt/www/iredadmin/settings.py), we use SSHA and SSHA512 for example here:

DEFAULT_PASSWORD_SCHEME = 'SSHA+SSHA512'

Easy?

Check the comment lines of this parameter in file /opt/www/iredadmin/libs/default_settings.py for more details. Let me know if it doesn't work for you.

3

Re: LDAP multiple passwords?

I don't see that particular file/path, but I did edit this file (/var instead of /opt):

/var/www/iredadmin/settings.py (I'm guessing that is the one you are referring to)

##############################################################################
# Place your custom settings below, you can override all settings in this file
# and libs/default_settings.py here.
#
DEFAULT_PASSWORD_SCHEME = 'SSHA+SSHA512'

That seems to do the trick, but I have a couple of questions.

When the password is updated in iRedAdmin-Pro, it is always the first userPassword that gets updated, leaving the second one (and third, etc) that I added manually untouched - correct?

Because the settings.py is in the symlinked folder to the designated version directory, changes to that file will not survive an upgrade, correct?

Thanks.
Jeff

4

Re: LDAP multiple passwords?

jstewart wrote:

I don't see that particular file/path, but I did edit this file (/var instead of /opt):

If your iRedMail server was upgraded from an old iRedMail release, then yes CentOS uses /var/www/ instead of /opt/www/.

jstewart wrote:

When the password is updated in iRedAdmin-Pro, it is always the first userPassword that gets updated, leaving the second one (and third, etc) that I added manually untouched - correct?

Both will be updated. If it doesn't, please let me know and i will fix it.

jstewart wrote:

Because the settings.py is in the symlinked folder to the designated version directory, changes to that file will not survive an upgrade, correct?

This "settings.py" is a regular file, not symbol link. And it will be copied to upgraded version so all custom settings are well kept.

5

Re: LDAP multiple passwords?

Thanks, and just to be clear, the upgrade process copies the settings.py file from the current version directory to the new version directory? The reason I ask is that the settings.py is physically in the iRedAdmin-Pro-LDAP-3.5 directory which is a symlinked directory:
lrwxrwxrwx  1 root      root        22 Mar 28 08:14 iredadmin -> iRedAdmin-Pro-LDAP-3.5


As to the multiple passwords, I have tested with a couple of accounts by manually adding a new userPassword field, and when I updated the password for that user in the iRedAdmin-Pro interface there is still only one password entry and confirmation on that page. The user's original password is updated, and the second one that I created manually is untouched (which is good). Should I be seeing the multiple password fields now in the iRedAdmin-Pro password change page?

6

Re: LDAP multiple passwords?

jstewart wrote:

just to be clear, the upgrade process copies the settings.py file from the current version directory to the new version directory?

Yes. When upgrading, iRedAdmin-Pro upgrade script will copy files to new directory, then copy settings.py from old version/directory.

jstewart wrote:

As to the multiple passwords, I have tested with a couple of accounts by manually adding a new userPassword field, and when I updated the password for that user in the iRedAdmin-Pro interface there is still only one password entry and confirmation on that page. The user's original password is updated, and the second one that I created manually is untouched (which is good). Should I be seeing the multiple password fields now in the iRedAdmin-Pro password change page?

What do you mean "manually adding a new userPassword field"? with ldap command line tools?

Please test it like this:

- First update iRedAdmin-Pro config file to use multiple password schemes. for example:

DEFAULT_PASSWORD_SCHEME = 'SSHA+SSHA512'

- Update some user's password in iRedAdmin-Pro.
- Check the LDIF data of this user account. You should see 2 userPassword attributes, and they should be updated at the same time when you change password.

7 (edited by jstewart 2019-04-17 01:41:12)

Re: LDAP multiple passwords?

I think perhaps I didn't make myself clear in what I needed.

I have a user account, testuser@domain.com
I assigned a password - "password1" - through the iRedAdmin dashboard.

Using an LDAP administration tool, (or using a ldif file) to add an attribute, I created a second password - "password2" so there are now two instances of userPassword each with a different value.

This is required because I am also going to be using the LDAP server for Radius authentication and provisioning which requires a second and distinct password for the same user, hence the "password2" entry.

I thought it had worked in testing after making the change you suggested, but I was testing against the wrong LDAP server.

It looks like what is happening is that iRedAdmin is updating both userPassword entries when I modify the password through the dashboard with the same password with different hashes.

What I need is for the Password change in the dashboard to only update the first entry and leave the second one alone. I require two completely different passwords for the same user.

Ideally, I would see both passwords on the dashboard page to allow editing them both separately, but I know that is not likely to happen, I can make any of those changes manually.

And one more question: When I make changes in the settings.py file, what all do I need to restart in order for the changes to take effect?

Thanks!

8

Re: LDAP multiple passwords?

jstewart wrote:

What I need is for the Password change in the dashboard to only update the first entry and leave the second one alone. I require two completely different passwords for the same user.

This is not possible with iRedAdmin-Pro right now. And how should i recognize which one should be updated?

Question for you: Why store 2 different passwords for one user? Why it cannot be the same one (either with only one userPassword or 2 but different hashes)?

jstewart wrote:

And one more question: When I make changes in the settings.py file, what all do I need to restart in order for the changes to take effect?

With the latest iRedAdmin-Pro, just restart "iredadmin" service.
if you're running old iRedMail release with Apache, you have to restart Apache instead.

9

Re: LDAP multiple passwords?

The reason for two passwords is that we need users to have two passwords, one for email, one of their PPPOE login through Radius.
Email passwords get changed regularly, but PPPOE passwords, which are usually stored in the user's router does not. If the email password is changed and the PPPOE password is updated to the new password, same as the email, then the user is denied access to connect to the internet, leading to support calls trying to help people log into their router and change the the broadband password.

As far as knowing which one, could it not be done the same way as other multi-value attributes, such as title, telephone number etc? Or would there be a way of only updating the first entry, and not touching any others?

As I indicated, I know this is not something that would appeal to, or be needed by most other users, but if you could point me in the right direction that would be helpful. Not being able to use multiple passwords is the only thing preventing me from integrating Radius into my LDAP server.

Thanks.
Jeff

10

Re: LDAP multiple passwords?

I have no idea. sad