#4268 "Unix SHA" broken in ldap users and groups?

1.060
closed-fixed
nobody
None
5
2013-07-11
2013-07-09
Harry Coin
No

"ldap users and groups" has an sha1 related password problem. Notice if you put in a 'normal password' then hit save when "encryption method" is "Unix SHA", the pre-encrypted password later displayed is merely {sha}

Do you need to install libdigest-sha-perl and update the related modules from the deprecated libdigest-sha1-perl?

Related

Bugs: #4268

Discussion

  • Jamie Cameron

    Jamie Cameron - 2013-07-10

    What happens if you run the command :

    slappasswd -h sha -s XXX

    where XXX is the password to hash? Does that produce the SHA1 hashed password, or fail with some error?

     
  • Harry Coin

    Harry Coin - 2013-07-10

    On 07/10/2013 05:05 AM, Jamie Cameron wrote:

    What happens if you run the command :

    slappasswd -h sha -s XXX

    where XXX is the password to hash? Does that produce the SHA1 hashed
    password, or fail with some error?


    [bugs:#4268] http://sourceforge.net/p/webadmin/bugs/4268/ "Unix
    SHA" broken in ldap users and groups?

    Status: open
    Created: Tue Jul 09, 2013 06:10 PM UTC by Harry Coin
    Last Updated: Tue Jul 09, 2013 06:10 PM UTC
    Owner: nobody

    "ldap users and groups" has an sha1 related password problem. Notice
    if you put in a 'normal password' then hit save when "encryption
    method" is "Unix SHA", the pre-encrypted password later displayed is
    merely {sha}

    Do you need to install libdigest-sha-perl and update the related
    modules from the deprecated libdigest-sha1-perl?


    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/webadmin/bugs/4268/

    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/subscriptions/

    There are two suites that provide ldap services. The slapd / openldap
    suite and the 389-* suite. For some reason the standalone tool
    slappasswd only is distributed along with the slapd server which
    requires the removal of the other ldap service suite. So, in short,
    slappasswd isn't available. Moreover, when samba4 gets popular it has
    all that built in and there will be a further problem relying on
    slappasswd.

    In the interim I built a script that makes pwdhash (the slappasswd
    lookalike in the 389 suite) command line compatible with how webmin
    calls slappasswd.

    But really it's an ugly hack, and webmin's ldap user/group manager
    shouldn't depend on any ldap server running on the same machine, much
    less a component of a specific one. If you're going to put in a way to
    customize the slappasswd command, you should go all the way and make it
    possible to customize the arguments as well.

    In the alternative, perl has crypt::hash and digest::sha that do the job
    quite well, looks like your md5_lib.pl (copied three times, once in
    htaccess, once in acl and again in ldap user admin) appears right on the
    edge of being able to step up and so eliminate the need for any external
    program.

     

    Related

    Bugs: #4268

  • Jamie Cameron

    Jamie Cameron - 2013-07-11
    • status: open --> closed-fixed
     
  • Jamie Cameron

    Jamie Cameron - 2013-07-11

    Good point .. I will have Webmin use the built-in SHA hash code if slappasswd is missing in future.

     

Log in to post a comment.