From tr at erdfunkstelle.de Wed Dec 25 12:40:35 2024 From: tr at erdfunkstelle.de (Reitelbach, Thomas) Date: Wed, 25 Dec 2024 13:40:35 +0100 Subject: Kolab User Passwords Message-ID: <5b40f6ed059aaa1f91187865caa1da0c@erdfunkstelle.de> Hello list, I'm running Kolab 16 on CentOS 7 with multi domain support (4 Domains) for some years now. Today I added a new Kolab User and set the password. But the new user can't login with roundcube ("Login failed" says roundcubemail). And the logs also say failed login. Old users can still login as usual with their password. After some investigation I found that "kolab user-info user at domain" shows a "userpassword:" with u'{SSHA512}................' and old users are encrypted like this: u'{SSHA}................' I guess that with some system update something in the underlying system has changed and new passwords are beeing stored as SHA512 now, which makes roundcube or ldap fail to check the password. Has anyone help for me? Can I setup how roundcube webadmin will encode the password in LDAP? Can I manually set the password in LDAP? I'm not familiar with LDAP queries and need help with that. Have a nice Christmas :) Thomas From laskov at festa.bg Fri Dec 27 23:30:56 2024 From: laskov at festa.bg (Valentin Laskov) Date: Sat, 28 Dec 2024 01:30:56 +0200 Subject: Kolab User Passwords In-Reply-To: <5b40f6ed059aaa1f91187865caa1da0c@erdfunkstelle.de> References: <5b40f6ed059aaa1f91187865caa1da0c@erdfunkstelle.de> Message-ID: <2697dd36-099a-47ee-bdf7-284093ee35c3@festa.bg> Hello, brute force method: 1. Make an archive using this method: http://web.archive.org/web/20240524220349/https://docs.kolab.org/administrator-guide/backup-and-restore.html You will get text files in which the password will look like this: userPassword:: e1NTSEE1MTJ9MTRGcXZpbE5ScU1mdGNGMFhyYkFZdy9tUkNQcGp5bHZmQ09VTFp ?kcWJwQ2FXY2ZtN2Y0NWptZnJsRnVSeVpLOVk1eHJ4U25wRTA1WFNQajhYYk0vQnR4dzUrN05rMlVz 2. Copy and paste a password from another user whose password you know to a user whose password doesn't work. Don't tell any user about this! :) 3. Restore the backup using the description above. It is probably possible to improvise to perform a partial restore. 4. Cheers and Happy New Year! :) Valentin Laskov ?? 25.12.24 ?. ? 14:40 ?., Reitelbach, Thomas ??????: > Hello list, > > I'm running Kolab 16 on CentOS 7 with multi domain support (4 Domains) > for some years now. > > Today I added a new Kolab User and set the password. But the new user > can't login with roundcube ("Login failed" says roundcubemail). And > the logs also say failed login. > > Old users can still login as usual with their password. > > After some investigation I found that "kolab user-info user at domain" > shows a "userpassword:" with > > u'{SSHA512}................' > > and old users are encrypted like this: > u'{SSHA}................' > > I guess that with some system update something in the underlying > system has changed and new passwords are beeing stored as SHA512 now, > which makes roundcube or ldap fail to check the password. > > Has anyone help for me? Can I setup how roundcube webadmin will encode > the password in LDAP? > Can I manually set the password in LDAP? > I'm not familiar with LDAP queries and need help with that. > > Have a nice Christmas :) > > Thomas > _______________________________________________ > users mailing list > users at lists.kolab.org > https://lists.kolab.org/mailman/listinfo/users From mihai at badici.ro Sat Dec 28 08:53:09 2024 From: mihai at badici.ro (Mihai Badici) Date: Sat, 28 Dec 2024 10:53:09 +0200 Subject: Kolab User Passwords In-Reply-To: <2697dd36-099a-47ee-bdf7-284093ee35c3@festa.bg> References: <5b40f6ed059aaa1f91187865caa1da0c@erdfunkstelle.de> <2697dd36-099a-47ee-bdf7-284093ee35c3@festa.bg> Message-ID: <059432bb-8cdc-4a46-aa80-6ddbcdfc7835@badici.ro> But the problem is the authentication should not be dependent on hash type. Authentication is binding the ldap server with user and password. If all the utilities ( server and client tools) are compatible the authentication should work with any supported hash type. So I guess the problem is when you create a new user ( with kolab webadmin I assume) the password is hashed outside the ldap tools and inserted as text. I don't use kolab webadmin but I suspect if the ldap server is not supporting ssha512 you can change the hash algoritm either from config file or directly in the code. To be more specific: you can change an user password in ldap using ldappasswd? (from openldap-client) : ldappasswd -D cn=Manager,dc=****** -x -w $rootpass -S "$DN" This will use the default hashing in ldap server. But you can also use ldapmodify and change the password as a text - hashed with any algorithm you choose. If you use that way - and for some legitimate reasons I think? is the way kolab webadmin is acting - the hash can be or can't be supported. So probably you can upgrade ldap server or change the hash algorithm. Also you can try to change the password from console as in my example to validate my assumption. Mihai On 12/28/24 01:30, Valentin Laskov wrote: > Hello, > > brute force method: > > 1. Make an archive using this method: > > http://web.archive.org/web/20240524220349/https://docs.kolab.org/administrator-guide/backup-and-restore.html > > > You will get text files in which the password will look like this: > > userPassword:: > e1NTSEE1MTJ9MTRGcXZpbE5ScU1mdGNGMFhyYkFZdy9tUkNQcGp5bHZmQ09VTFp > ?kcWJwQ2FXY2ZtN2Y0NWptZnJsRnVSeVpLOVk1eHJ4U25wRTA1WFNQajhYYk0vQnR4dzUrN05rMlVz > > > 2. Copy and paste a password from another user whose password you know > to a user whose password doesn't work. Don't tell any user about this! :) > > 3. Restore the backup using the description above. It is probably > possible to improvise to perform a partial restore. > > 4. Cheers and Happy New Year! :) > > Valentin Laskov > > ?? 25.12.24 ?. ? 14:40 ?., Reitelbach, Thomas ??????: >> Hello list, >> >> I'm running Kolab 16 on CentOS 7 with multi domain support (4 >> Domains) for some years now. >> >> Today I added a new Kolab User and set the password. But the new user >> can't login with roundcube ("Login failed" says roundcubemail). And >> the logs also say failed login. >> >> Old users can still login as usual with their password. >> >> After some investigation I found that "kolab user-info user at domain" >> shows a "userpassword:" with >> >> u'{SSHA512}................' >> >> and old users are encrypted like this: >> u'{SSHA}................' >> >> I guess that with some system update something in the underlying >> system has changed and new passwords are beeing stored as SHA512 now, >> which makes roundcube or ldap fail to check the password. >> >> Has anyone help for me? Can I setup how roundcube webadmin will >> encode the password in LDAP? >> Can I manually set the password in LDAP? >> I'm not familiar with LDAP queries and need help with that. >> >> Have a nice Christmas :) >> >> Thomas >> _______________________________________________ >> users mailing list >> users at lists.kolab.org >> https://lists.kolab.org/mailman/listinfo/users > _______________________________________________ > users mailing list > users at lists.kolab.org > https://lists.kolab.org/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From tr at erdfunkstelle.de Sat Dec 28 11:21:11 2024 From: tr at erdfunkstelle.de (Thomas Reitelbach) Date: Sat, 28 Dec 2024 12:21:11 +0100 Subject: Kolab User Passwords In-Reply-To: <059432bb-8cdc-4a46-aa80-6ddbcdfc7835@badici.ro> References: <059432bb-8cdc-4a46-aa80-6ddbcdfc7835@badici.ro> Message-ID: An HTML attachment was scrubbed... URL: