Ticket #5485 (closed defect: duplicate)

Opened 4 years ago

Last modified 4 years ago

LDAP Plugin not working with all SSHA variants

Reported by: ian@ianbmacdonald.com Assigned to: eblot
Priority: normal Component: LdapPlugin
Severity: major Keywords: ldap ssha mds
Cc: Trac Release: 0.11

Description

Our central LDAP is a Debian Lenny system running MDS (Mandriva Directory Server). In some cases SSHA passwords are not being accepted by Trac LDAP, however they work correctly for all other applications authenticating to the LDAP. Below are some SSHA examples for the password "password", some which work, and the longer variants which fail. The issue is that all our passwords are set using the MDS admin tool, which also sets Samba hashes for NT in the directory schema at the same time. This longer, possibly more secure SSHA variants below are compatible with all LDAP clients and applications except for Trac.

Working Examples:

{SSHA}ERdvT2vhmoUDOvovkgxZxTB/tbbxNVRh (generated using slappasswd)
{SSHA}/rmnnVkCVnGbOQx7H2uIrPdhz4FqHDSb (generated using passwd via pam_ldap exop)

Not Working Examples:

{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW (generated in Luma LDAP browser)
{SSHA}z8ye3oLGySzT90/h+wEDM5rpIyljeE5FbkUxY2thOGtjNVBlZXBDZA== (generated in MDS Admin interface)

Attachments

Change History

07/07/09 19:33:24 changed by eblot

Could it be related to the total length of the password?

07/07/09 19:43:40 changed by ian@ianbmacdonald.com

For the ticket above, we are using current 0.11 0.6.0dev, r6159 and previously r5686, both exhibiting this behaviour. Here is the trac log for one of the failing examples above, 

2009-07-07 13:34:05,967 Trac[main] DEBUG: Dispatching <Request "POST u'/login'">
2009-07-07 13:34:05,995 Trac[ldap_store] INFO: Sasl Failed, trying other.
2009-07-07 13:34:06,031 Trac[ldap_store] INFO: p: ['{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW']
2009-07-07 13:34:06,035 Trac[chrome] DEBUG: Prepare chrome data for request
2009-07-07 13:34:06,095 Trac[ldap_store] INFO: Sasl Failed, trying other.
2009-07-07 13:34:06,179 Trac[ldap_store] INFO: p: ['{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW']
2009-07-07 13:34:06,179 Trac[api] DEBUG: cached (anonymous): 
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2009-07-07 13:34:06,187 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None
2009-07-07 13:34:06,187 Trac[session] DEBUG: Retrieving session for ID '97a714b05da13ceabef6eedd'
2009-07-07 13:34:06,271 Trac[main] DEBUG: 349 unreachable objects found.
2009-07-07 13:35:31,298 Trac[main] DEBUG: Dispatching <Request "GET u'/'">
2009-07-07 13:35:31,310 Trac[api] DEBUG: cached (anonymous):

07/07/09 19:53:44 changed by ian@ianbmacdonald.com

Here is what the bind looked like for the above on our LDAP server 

Jul  7 13:34:06 kamino slapd[1381]: conn=65969 fd=62 ACCEPT from IP=xx.xx.xx.xx:37578 (IP=0.0.0.0:389) 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=0 BIND dn="" method=128 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=0 RESULT tag=97 err=0 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SRCH base="dc=xxxx,dc=com" scope=2 deref=0 filter="(objectClass=*)" 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SRCH attr=dn 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SEARCH RESULT tag=101 err=0 nentries=62 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 BIND dn="uid=imacdonald,ou=Users,dc=xxxx,dc=com" method=128 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 BIND dn="uid=imacdonald,ou=Users,dc=xxxx,dc=com" mech=SIMPLE ssf=0 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 RESULT tag=97 err=0 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SRCH base="ou=Users,dc=xxxx,dc=com" scope=1 deref=0 filter="(uid=imacdonald)" 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SRCH attr=userPassword 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=4 UNBIND 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 fd=62 closed

07/08/09 19:19:10 changed by ian@ianbmacdonald.com

  • status changed from new to closed.
  • resolution set to duplicate.

addressed in #1147

Add/Change #5485 (LDAP Plugin not working with all SSHA variants)




Change Properties
Action