1 Topic by edbo.design

  • edbo.design
  • Member
  • Offline
  • Registered: 2016-04-02
  • Posts: 5

Topic: Case sensitive domain name in LDAP

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP / 389-ds
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hello,

I'm testing to get iRedMail working with 389-ds. During that process I came across a strange problem of not being able to create users. So I switched backed to the normal LDAP and tried it there, also without luck. After digging through the logfiles (which didn't give any clues, everything seems normal) I started digging through the source of iRedAdmin and found out that the domainname is lowered after the form is submitted. But I have a domainname which have some uppercase letters. Comparing the two domainnames resulted in a false return.

I've created a testserver with the domain myDOmain.com . Creating a new user the domainname is showed correctly in the webform. After submitting the form iRedAmin lowercases the domain into mydomain.com. Comparing myDOmain.com and mydomain.com results in a False, so the user isn't created and an error is returned

The code causing this is located in /var/www/iredadmin/libs/ldaplib/connUtils.py rule 156 . For now I added an extra function which lowers the domains and return them. Then the comparison is made.

I don't know if this problem also exists in MySQL or PSQL. Or maybe this is not a problem at all, but then please change the install-script to lower the domainname also.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Case sensitive domain name in LDAP

Bug of iRedMail. Fixed moment ago (convert first domain name to lower cases):
https://bitbucket.org/zhb/iredmail/comm … 6cba9160c5

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Case sensitive domain name in LDAP

By the way, could you please show me the LDIF data of the accounts which causes this issue? also, would you mind sharing your modification code of iRedAdmin?

LDAP data should be case insensitive by default, maybe 389-ds turn on case sensitive setting?

4 Reply by edbo.design

  • edbo.design
  • Member
  • Offline
  • Registered: 2016-04-02
  • Posts: 5

Re: Case sensitive domain name in LDAP

ZhangHuangbin wrote:

By the way, could you please show me the LDIF data of the accounts which causes this issue?

I have attached the init-ldif created by the install script (I removed the userPassword). Because it's a testserver, the domain is not a real domain. My goal is to move from OpenLDAP to 389-ds and from MySQL to PostgreSQL.
The part which causes the problem is the domainName attribute:

dn: domainName=EdbO.Design.com,o=domains,dc=testserver,dc=edbo,dc=com
objectClass: mailDomain
domainName: EdbO.Design.com
mtaTransport: dovecot
accountStatus: active
accountSetting: minPasswordLength:8
accountSetting: defaultQuota:1024
enabledService: mail

ZhangHuangbin wrote:

also, would you mind sharing your modification code of iRedAdmin?

No problem smile I've attached the patch to connUtils.py

ZhangHuangbin wrote:

LDAP data should be case insensitive by default, maybe 389-ds turn on case sensitive setting?

Nope, that's not the problem, it works properly adding users when the domain-name is lower-cased or with my changes added to the code. Comparing EdbO.Design.com and edbo.design.com in Python gives you a False because they are not an exact match. But adding a new domain-name in iRedAdmin will automatically lower-case the domain-name, so change the install script and you are done.

However, I have to say that 389-ds is VERY strict about the attributes and what data you want to put into the different fields. I'm now fighting the userPassword attribute. 389-ds disallows to store the passwords

"Error: {'info': 'invalid password syntax - passwords with storage scheme are not allowed', 'desc': 'Constraint violation'}

I'm digging into this one as well and figured out that removing "{SSHA}" fixes the problem, but the password got completely mangled and is not usable anymore. The strange thing here is that the passwords with the SSHA prefix in the init-ldif file are stored in 389-ds but from iRedAdmin they are rejected.

Post's attachments

connUtils_edbo_mod.patch 1.03 kb, 4 downloads since 2016-04-04 

ldap_init.ldif 2.6 kb, 4 downloads since 2016-04-04 

You don't have the permssions to download the attachments of this post.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Case sensitive domain name in LDAP

iRedMail requires the password scheme name prefixed in password hash. e.g. {SSHA}, {SSHA512}.

6 Reply by edbo.design

  • edbo.design
  • Member
  • Offline
  • Registered: 2016-04-02
  • Posts: 5

Re: Case sensitive domain name in LDAP

ZhangHuangbin wrote:

iRedMail requires the password scheme name prefixed in password hash. e.g. {SSHA}, {SSHA512}.

Problem lies in 389-ds. Changing the password through the 389-console just works, both via console or iRedAdmin. Using an ldif or script don't work.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Case sensitive domain name in LDAP

Just curious, does the password contain scheme name like "{SSHA}"?

8 Reply by edbo.design

  • edbo.design
  • Member
  • Offline
  • Registered: 2016-04-02
  • Posts: 5

Re: Case sensitive domain name in LDAP

ZhangHuangbin wrote:

Just curious, does the password contain scheme name like "{SSHA}"?

I change the password of a user with 389-console and can login into iRedAdmin with that specific user and password. Doing a ldapsearch and get that password from 389-ds it is base64 encoded. Decode it with openssl -s base64 <password> and it comes back with {SSHA} prefixed.

For now I won't focus to much on this. I just want to see if the rest of the system can and will work with 389-ds

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Case sensitive domain name in LDAP

Thanks for sharing.