Kolab User Passwords

Mihai Badici mihai at badici.ro
Sat Dec 28 08:53:09 UTC 2024 

But the problem is the authentication should not be dependent on hash 
type. Authentication is binding the ldap server with user and password. 
If all the utilities ( server and client tools) are compatible the 
authentication should work with any supported hash type.

So I guess the problem is when you create a new user ( with kolab 
webadmin I assume) the password is hashed outside the ldap tools and 
inserted as text. I don't use kolab webadmin but I suspect if the ldap 
server is not supporting ssha512 you can change the hash algoritm either 
from config file or directly in the code.

To be more specific: you can change an user password in ldap using 
ldappasswd  (from openldap-client) :

ldappasswd -D cn=Manager,dc=****** -x -w $rootpass -S "$DN"

This will use the default hashing in ldap server.

But you can also use ldapmodify and change the password as a text - 
hashed with any algorithm you choose. If you use that way - and for some 
legitimate reasons I think  is the way kolab webadmin is acting - the 
hash can be or can't be supported. So probably you can upgrade ldap 
server or change the hash algorithm. Also you can try to change the 
password from console as in my example to validate my assumption.

Mihai



On 12/28/24 01:30, Valentin Laskov wrote:
> Hello,
>
> brute force method:
>
> 1. Make an archive using this method:
>
> http://web.archive.org/web/20240524220349/https://docs.kolab.org/administrator-guide/backup-and-restore.html 
>
>
> You will get text files in which the password will look like this:
>
> userPassword:: 
> e1NTSEE1MTJ9MTRGcXZpbE5ScU1mdGNGMFhyYkFZdy9tUkNQcGp5bHZmQ09VTFp
>  kcWJwQ2FXY2ZtN2Y0NWptZnJsRnVSeVpLOVk1eHJ4U25wRTA1WFNQajhYYk0vQnR4dzUrN05rMlVz 
>
>
> 2. Copy and paste a password from another user whose password you know 
> to a user whose password doesn't work. Don't tell any user about this! :)
>
> 3. Restore the backup using the description above. It is probably 
> possible to improvise to perform a partial restore.
>
> 4. Cheers and Happy New Year! :)
>
> Valentin Laskov
>
> На 25.12.24 г. в 14:40 ч., Reitelbach, Thomas написа:
>> Hello list,
>>
>> I'm running Kolab 16 on CentOS 7 with multi domain support (4 
>> Domains) for some years now.
>>
>> Today I added a new Kolab User and set the password. But the new user 
>> can't login with roundcube ("Login failed" says roundcubemail). And 
>> the logs also say failed login.
>>
>> Old users can still login as usual with their password.
>>
>> After some investigation I found that "kolab user-info user at domain" 
>> shows a "userpassword:" with
>>
>> u'{SSHA512}................'
>>
>> and old users are encrypted like this:
>> u'{SSHA}................'
>>
>> I guess that with some system update something in the underlying 
>> system has changed and new passwords are beeing stored as SHA512 now, 
>> which makes roundcube or ldap fail to check the password.
>>
>> Has anyone help for me? Can I setup how roundcube webadmin will 
>> encode the password in LDAP?
>> Can I manually set the password in LDAP?
>> I'm not familiar with LDAP queries and need help with that.
>>
>> Have a nice Christmas :)
>>
>> Thomas
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20241228/f886dc14/attachment.htm>

More information about the users mailing list