1

Topic: LDAP multiple passwords?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I have a requirement to store multiple passwords for users (for instance mail and PPPOE passwords which we need to keep seperate, but the usernames are the same). I can manually add a second password to an account, but as soon as the user is updated using iRedAdmin the second password is removed.

Since userPassword is a multi-valued attribute is there a way to implement this, and ideally have the ability to create multiple passwords in the iRedAdmin interface the same way multi-valued attributes such as telephoneNumber are handled?

I realize this is not going to be a common requirement for most iRedMail users, but is there somewhere you could point me to alter the interface and update script to allow me to accomplish this?

Thanks.

2

Re: LDAP multiple passwords?

It's offered by iRedAdmin-Pro, just add the password methods you want like below in iRedAdmin-Pro config file (/opt/www/iredadmin/settings.py), we use SSHA and SSHA512 for example here:

DEFAULT_PASSWORD_SCHEME = 'SSHA+SSHA512'

Easy?

Check the comment lines of this parameter in file /opt/www/iredadmin/libs/default_settings.py for more details. Let me know if it doesn't work for you.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: LDAP multiple passwords?

I don't see that particular file/path, but I did edit this file (/var instead of /opt):

/var/www/iredadmin/settings.py (I'm guessing that is the one you are referring to)

##############################################################################
# Place your custom settings below, you can override all settings in this file
# and libs/default_settings.py here.
#
DEFAULT_PASSWORD_SCHEME = 'SSHA+SSHA512'

That seems to do the trick, but I have a couple of questions.

When the password is updated in iRedAdmin-Pro, it is always the first userPassword that gets updated, leaving the second one (and third, etc) that I added manually untouched - correct?

Because the settings.py is in the symlinked folder to the designated version directory, changes to that file will not survive an upgrade, correct?

Thanks.
Jeff

4

Re: LDAP multiple passwords?

jstewart wrote:

I don't see that particular file/path, but I did edit this file (/var instead of /opt):

If your iRedMail server was upgraded from an old iRedMail release, then yes CentOS uses /var/www/ instead of /opt/www/.

jstewart wrote:

When the password is updated in iRedAdmin-Pro, it is always the first userPassword that gets updated, leaving the second one (and third, etc) that I added manually untouched - correct?

Both will be updated. If it doesn't, please let me know and i will fix it.

jstewart wrote:

Because the settings.py is in the symlinked folder to the designated version directory, changes to that file will not survive an upgrade, correct?

This "settings.py" is a regular file, not symbol link. And it will be copied to upgraded version so all custom settings are well kept.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: LDAP multiple passwords?

Thanks, and just to be clear, the upgrade process copies the settings.py file from the current version directory to the new version directory? The reason I ask is that the settings.py is physically in the iRedAdmin-Pro-LDAP-3.5 directory which is a symlinked directory:
lrwxrwxrwx  1 root      root        22 Mar 28 08:14 iredadmin -> iRedAdmin-Pro-LDAP-3.5


As to the multiple passwords, I have tested with a couple of accounts by manually adding a new userPassword field, and when I updated the password for that user in the iRedAdmin-Pro interface there is still only one password entry and confirmation on that page. The user's original password is updated, and the second one that I created manually is untouched (which is good). Should I be seeing the multiple password fields now in the iRedAdmin-Pro password change page?

6

Re: LDAP multiple passwords?

jstewart wrote:

just to be clear, the upgrade process copies the settings.py file from the current version directory to the new version directory?

Yes. When upgrading, iRedAdmin-Pro upgrade script will copy files to new directory, then copy settings.py from old version/directory.

jstewart wrote:

As to the multiple passwords, I have tested with a couple of accounts by manually adding a new userPassword field, and when I updated the password for that user in the iRedAdmin-Pro interface there is still only one password entry and confirmation on that page. The user's original password is updated, and the second one that I created manually is untouched (which is good). Should I be seeing the multiple password fields now in the iRedAdmin-Pro password change page?

What do you mean "manually adding a new userPassword field"? with ldap command line tools?

Please test it like this:

- First update iRedAdmin-Pro config file to use multiple password schemes. for example:

DEFAULT_PASSWORD_SCHEME = 'SSHA+SSHA512'

- Update some user's password in iRedAdmin-Pro.
- Check the LDIF data of this user account. You should see 2 userPassword attributes, and they should be updated at the same time when you change password.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

7 (edited by jstewart 2019-04-17 01:41:12)

Re: LDAP multiple passwords?

I think perhaps I didn't make myself clear in what I needed.

I have a user account, testuser@domain.com
I assigned a password - "password1" - through the iRedAdmin dashboard.

Using an LDAP administration tool, (or using a ldif file) to add an attribute, I created a second password - "password2" so there are now two instances of userPassword each with a different value.

This is required because I am also going to be using the LDAP server for Radius authentication and provisioning which requires a second and distinct password for the same user, hence the "password2" entry.

I thought it had worked in testing after making the change you suggested, but I was testing against the wrong LDAP server.

It looks like what is happening is that iRedAdmin is updating both userPassword entries when I modify the password through the dashboard with the same password with different hashes.

What I need is for the Password change in the dashboard to only update the first entry and leave the second one alone. I require two completely different passwords for the same user.

Ideally, I would see both passwords on the dashboard page to allow editing them both separately, but I know that is not likely to happen, I can make any of those changes manually.

And one more question: When I make changes in the settings.py file, what all do I need to restart in order for the changes to take effect?

Thanks!