1 (edited by nixargh 2015-03-11 04:15:59)

Topic: Feature request: checkbox to enable {SASL} passwords

==== Required information ====
- iRedMail version:  iRedMail-0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Ubuntu 14.04.2 LTS
- Related log if you're reporting an issue:
====

Hello.

I just finished to setup Iredmail with LDAP backend and LDAP Pass-Through authentication. It is very usefull in my case because i want to use full featured multi-tenancy provided by Iredmail and passwords from Microsft AD.
It's quite easy to setup LDAP pass-through, but it require to store PLAIN text passwords of special format that points to some principal from AD. It could be done through ldapmodify utility.
It will be really awesome to have an option at Iredmail admin UI that allow to store plain text passwords. To prevent security degradation it could be just for SASL format: "{SASL}test@domain.local". I mean {SASL} prefix is hardcoded and administrator can only type "test@domain.local" part.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Feature request: checkbox to enable {SASL} passwords

Excuse me, what's LDAP "Pass-Through" authentication?

With iRedAdmin, you can add 'STORE_PASSWORD_IN_PLAIN_TEXT_TEXT = True' in config file /usr/share/apache2/iredadmin/settings.py, restart Apache. In user password page, or user creation page, it will show you a checkbox to allow storing plain password.

3 (edited by nixargh 2015-03-11 13:04:39)

Re: Feature request: checkbox to enable {SASL} passwords

ZhangHuangbin wrote:

With iRedAdmin, you can add 'STORE_PASSWORD_IN_PLAIN_TEXT_TEXT = True' in config file /usr/share/apache2/iredadmin/settings.py, restart Apache. In user password page, or user creation page, it will show you a checkbox to allow storing plain password.

Greate news, i'll try it! Thank you.

ZhangHuangbin wrote:

Excuse me, what's LDAP "Pass-Through" authentication?

It's a specific password storage scheme of openldap that allow you to pass authentication to another LDAP server.
You can find more details at openldap page - http://www.openldap.org/doc/admin24/security.html , paragraf 14.5.

For example, i created iredmail user "test@mydomain.com" at set his pasword to "{SASL}test@ad.local". And "test@ad.local" exists on backend LDAP. Openldap understands how to handle such pasword and uses SASL to authenticate you with login from Iredmail and password of "test@ad.local" from MS AD. SASL should be configured on Iredmail box first, there are number of howto at internet.

If someone interested i could share small puppet manisfest to configure pass-through after Iredmail installation on Ubuntu 14.04 or just post my changes.

4

Re: Feature request: checkbox to enable {SASL} passwords

nixargh wrote:

It's a specific password storage scheme of openldap that allow you to pass authentication to another LDAP server.
You can find more details at openldap page - http://www.openldap.org/doc/admin24/security.html , paragraf 14.5.

Thanks for sharing. I didn't use LDAP pass-through before.

nixargh wrote:

If someone interested i could share small puppet manisfest to configure pass-through after Iredmail installation on Ubuntu 14.04 or just post my changes.

Don't wait for others, just share it. smile

5

Re: Feature request: checkbox to enable {SASL} passwords

ZhangHuangbin wrote:

With iRedAdmin, you can add 'STORE_PASSWORD_IN_PLAIN_TEXT_TEXT = True' in config file /usr/share/apache2/iredadmin/settings.py, restart Apache. In user password page, or user creation page, it will show you a checkbox to allow storing plain password.

Hello.
I tried to do this, but check box doesn't appear. Maybe it's only "Pro" feature?
As workaround i set "DEFAULT_PASSWORD_SCHEME = 'PLAIN'" and " SQL_PASSWORD_PREFIX_SCHEME = False".

P.S. I chose nginx as HTTP server so uwsgi restart works better than apache wink

6

Re: Feature request: checkbox to enable {SASL} passwords

nixargh wrote:

I tried to do this, but check box doesn't appear. Maybe it's only "Pro" feature?

Turns out it's a bug in iRedAdmin open source edition, you can fix it with this commit:
https://bitbucket.org/zhb/iredadmin-ose … 86cafcb4a7