Modify

Opened 5 years ago

Closed 5 years ago

#5485 closed defect (duplicate)

LDAP Plugin not working with all SSHA variants

Reported by: ian@… Owned by: eblot
Priority: normal Component: LdapPlugin
Severity: major Keywords: ldap ssha mds
Cc: Trac Release: 0.11

Description

Our central LDAP is a Debian Lenny system running MDS (Mandriva Directory Server). In some cases SSHA passwords are not being accepted by Trac LDAP, however they work correctly for all other applications authenticating to the LDAP. Below are some SSHA examples for the password "password", some which work, and the longer variants which fail. The issue is that all our passwords are set using the MDS admin tool, which also sets Samba hashes for NT in the directory schema at the same time. This longer, possibly more secure SSHA variants below are compatible with all LDAP clients and applications except for Trac.

Working Examples:

{SSHA}ERdvT2vhmoUDOvovkgxZxTB/tbbxNVRh (generated using slappasswd)
{SSHA}/rmnnVkCVnGbOQx7H2uIrPdhz4FqHDSb (generated using passwd via pam_ldap exop)


Not Working Examples:

{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW (generated in Luma LDAP browser)
{SSHA}z8ye3oLGySzT90/h+wEDM5rpIyljeE5FbkUxY2thOGtjNVBlZXBDZA== (generated in MDS Admin interface)

Attachments (0)

Change History (4)

comment:1 Changed 5 years ago by eblot

Could it be related to the total length of the password?

comment:2 Changed 5 years ago by ian@…

For the ticket above, we are using current 0.11 0.6.0dev, r6159 and previously r5686, both exhibiting this behaviour. Here is the trac log for one of the failing examples above,

2009-07-07 13:34:05,967 Trac[main] DEBUG: Dispatching <Request "POST u'/login'">
2009-07-07 13:34:05,995 Trac[ldap_store] INFO: Sasl Failed, trying other.
2009-07-07 13:34:06,031 Trac[ldap_store] INFO: p: ['{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW']
2009-07-07 13:34:06,035 Trac[chrome] DEBUG: Prepare chrome data for request
2009-07-07 13:34:06,095 Trac[ldap_store] INFO: Sasl Failed, trying other.
2009-07-07 13:34:06,179 Trac[ldap_store] INFO: p: ['{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW']
2009-07-07 13:34:06,179 Trac[api] DEBUG: cached (anonymous): 
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2009-07-07 13:34:06,187 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None
2009-07-07 13:34:06,187 Trac[session] DEBUG: Retrieving session for ID '97a714b05da13ceabef6eedd'
2009-07-07 13:34:06,271 Trac[main] DEBUG: 349 unreachable objects found.
2009-07-07 13:35:31,298 Trac[main] DEBUG: Dispatching <Request "GET u'/'">
2009-07-07 13:35:31,310 Trac[api] DEBUG: cached (anonymous):

comment:3 Changed 5 years ago by ian@…

Here is what the bind looked like for the above on our LDAP server

Jul  7 13:34:06 kamino slapd[1381]: conn=65969 fd=62 ACCEPT from IP=xx.xx.xx.xx:37578 (IP=0.0.0.0:389) 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=0 BIND dn="" method=128 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=0 RESULT tag=97 err=0 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SRCH base="dc=xxxx,dc=com" scope=2 deref=0 filter="(objectClass=*)" 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SRCH attr=dn 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SEARCH RESULT tag=101 err=0 nentries=62 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 BIND dn="uid=imacdonald,ou=Users,dc=xxxx,dc=com" method=128 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 BIND dn="uid=imacdonald,ou=Users,dc=xxxx,dc=com" mech=SIMPLE ssf=0 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 RESULT tag=97 err=0 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SRCH base="ou=Users,dc=xxxx,dc=com" scope=1 deref=0 filter="(uid=imacdonald)" 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SRCH attr=userPassword 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=4 UNBIND 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 fd=62 closed

comment:4 Changed 5 years ago by ian@…

  • Resolution set to duplicate
  • Status changed from new to closed

addressed in #1147

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from eblot. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.