Context Navigation

Modify ↓

#5485 closed defect (duplicate)

LDAP Plugin not working with all SSHA variants

Reported by:	ian@…	Owned by:	Emmanuel Blot
Priority:	normal	Component:	LdapPlugin
Severity:	major	Keywords:	ldap ssha mds
Cc:		Trac Release:	0.11

Description

Our central LDAP is a Debian Lenny system running MDS (Mandriva Directory Server). In some cases SSHA passwords are not being accepted by Trac LDAP, however they work correctly for all other applications authenticating to the LDAP. Below are some SSHA examples for the password "password", some which work, and the longer variants which fail. The issue is that all our passwords are set using the MDS admin tool, which also sets Samba hashes for NT in the directory schema at the same time. This longer, possibly more secure SSHA variants below are compatible with all LDAP clients and applications except for Trac.

Working Examples:

{SSHA}ERdvT2vhmoUDOvovkgxZxTB/tbbxNVRh (generated using slappasswd)
{SSHA}/rmnnVkCVnGbOQx7H2uIrPdhz4FqHDSb (generated using passwd via pam_ldap exop)

Not Working Examples:

{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW (generated in Luma LDAP browser)
{SSHA}z8ye3oLGySzT90/h+wEDM5rpIyljeE5FbkUxY2thOGtjNVBlZXBDZA== (generated in MDS Admin interface)

Attachments (0)

Change History (4)

comment:1 Changed 15 years ago by Emmanuel Blot

Could it be related to the total length of the password?

comment:2 Changed 15 years ago by ian@…

For the ticket above, we are using current 0.11 0.6.0dev, r6159 and previously r5686, both exhibiting this behaviour. Here is the trac log for one of the failing examples above,

2009-07-07 13:34:05,967 Trac[main] DEBUG: Dispatching <Request "POST u'/login'">
2009-07-07 13:34:05,995 Trac[ldap_store] INFO: Sasl Failed, trying other.
2009-07-07 13:34:06,031 Trac[ldap_store] INFO: p: ['{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW']
2009-07-07 13:34:06,035 Trac[chrome] DEBUG: Prepare chrome data for request
2009-07-07 13:34:06,095 Trac[ldap_store] INFO: Sasl Failed, trying other.
2009-07-07 13:34:06,179 Trac[ldap_store] INFO: p: ['{SSHA}zjR1uYpPNn7zdYalptR5qjs/Lrk1QnRYcU9CcW1zZ2l0TkdW']
2009-07-07 13:34:06,179 Trac[api] DEBUG: cached (anonymous): 
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2009-07-07 13:34:06,183 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2009-07-07 13:34:06,187 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None
2009-07-07 13:34:06,187 Trac[session] DEBUG: Retrieving session for ID '97a714b05da13ceabef6eedd'
2009-07-07 13:34:06,271 Trac[main] DEBUG: 349 unreachable objects found.
2009-07-07 13:35:31,298 Trac[main] DEBUG: Dispatching <Request "GET u'/'">
2009-07-07 13:35:31,310 Trac[api] DEBUG: cached (anonymous):

comment:3 Changed 15 years ago by ian@…

Here is what the bind looked like for the above on our LDAP server

Jul  7 13:34:06 kamino slapd[1381]: conn=65969 fd=62 ACCEPT from IP=xx.xx.xx.xx:37578 (IP=0.0.0.0:389) 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=0 BIND dn="" method=128 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=0 RESULT tag=97 err=0 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SRCH base="dc=xxxx,dc=com" scope=2 deref=0 filter="(objectClass=*)" 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SRCH attr=dn 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=1 SEARCH RESULT tag=101 err=0 nentries=62 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 BIND dn="uid=imacdonald,ou=Users,dc=xxxx,dc=com" method=128 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 BIND dn="uid=imacdonald,ou=Users,dc=xxxx,dc=com" mech=SIMPLE ssf=0 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=2 RESULT tag=97 err=0 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SRCH base="ou=Users,dc=xxxx,dc=com" scope=1 deref=0 filter="(uid=imacdonald)" 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SRCH attr=userPassword 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 op=4 UNBIND 
Jul  7 13:34:06 kamino slapd[1381]: conn=65969 fd=62 closed

comment:4 Changed 15 years ago by ian@…

Resolution:	→ duplicate
Status:	new → closed

addressed in #1147

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Emmanuel Blot.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: