1 (edited by rahman 2010-10-25 20:20:12)

Topic: [SOLVED]Migration from LDAP backed old mail server

Hi,

I am trying to migrate from Postfix + Dovecot mail server. The problem is iRedMail stores user passwords as ssha in ldap. My old server stores users password in MD5. How can I make iRedMail to use and store user password as MD5?

2

Re: [SOLVED]Migration from LDAP backed old mail server

You can store MD5 password in LDAP too. Prepend "{MD5}" before your encrypted password.

3

Re: [SOLVED]Migration from LDAP backed old mail server

ZhangHuangbin wrote:

You can store MD5 password in LDAP too. Prepend "{MD5}" before your encrypted password.

Thanks for your quick reply smile

The problem is I already did it. I imported old users to iRedMail Ldap server with password fields like "{MD5}aasdasdasdaasdsd==" But roundcube refuse to login the imported users. If I create new users via iRedAdmin, It stores user passwords as SSHA and roundcube logins with success.

I also don't want to combine MD5 and SSHA. Can I configure iRedMail to use md5 for LDAP by default?

Thanks.

4

Re: [SOLVED]Migration from LDAP backed old mail server

You can set default password scheme in OpenLDAP config file (slapd.conf).

Search "password-hash" in this page: http://linux.die.net/man/5/slapd.conf

5

Re: [SOLVED]Migration from LDAP backed old mail server

ZhangHuangbin wrote:

You can set default password scheme in OpenLDAP config file (slapd.conf).

Search "password-hash" in this page: http://linux.die.net/man/5/slapd.conf

My userPassword fields has {MD5} tag, do I need this option really?

Anyways, I set this option but it didn't make iRedAdmin to create users with MD5. Also still roundcube can't login for my old imported users with md5 passwords.

Btw, I am using iRedOs if it helps.

6

Re: [SOLVED]Migration from LDAP backed old mail server

You password is PLAIN-MD5 or salted MD5?

7

Re: [SOLVED]Migration from LDAP backed old mail server

ZhangHuangbin wrote:

You password is PLAIN-MD5 or salted MD5?

plain base64 encoded MD5

8

Re: [SOLVED]Migration from LDAP backed old mail server

Could you please give us a sample password, and it's plain password?

9 (edited by rahman 2010-10-25 17:47:26)

Re: [SOLVED]Migration from LDAP backed old mail server

userpassword: {MD5}4QrcOUm6Wau+VuBX8g+IPg==

I modified iredadmin/libs/** user.py and ldaputils.py .So I can configure iredadmin to use b64 MD5 as an option which worked well. I created a test user: test@mydomain.com with password: 123456. I see "{MD5}4QrcOUm6Wau+VuBX8g+IPg==" when I look via phpldapadmin. So far so good. I can login to roundcube with this iredadmin created accound. BUT, there is also a test account in my imported users that has the same userPassword field: {MD5}4QrcOUm6Wau+VuBX8g+IPg==  which fails to login via roundcube.

It seems the issue is not MD5 issue. Here is the ldiff I used to import my old user accounts:


dn: mail=test2@foo.bar,ou=Users,domainName=foo.bar,o=domain
s,dc=foo,dc=bar
changetype: add
objectCLass: inetOrgPerson
objectCLass: mailUser
objectCLass: shadowAccount
mail: test@foo.bar
userPassword: {MD5}4QrcOUm6Wau+VuBX8g+IPg==
mailQuota: 1024
cn: test2
sn: test2
uid: test2
storageBaseDirectory: /var/vmail
mailMessageStore: vmail1/foo.bar/test/
homeDirectory: /var/vmail/vmail1/foo.bar/test2/
accountStatus: active
mtaTransport: dovecot
enabledService: mail
enabledService: smtp
enabledService: pop3
enabledService: imap
enabledService: deliver
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: managesieve
enabledService: displayedInGlobalAddressBook
memberOfGroup:: DQ==
memberOfGroup:: Cg==



Please note that I did not create the user home directory under /var/vmail. I thought it is created when the first login success. Or am I wrong? Does iRedAdmin also create the user dir?

Thanks.


EDIT: I also copied old mailbox to /var/vmail/vmail1/foo.bar/test2 it did not worked either. So I am clueless why it doesn't work on imported accounts

10

Re: [SOLVED]Migration from LDAP backed old mail server

rahman wrote:

Please note that I did not create the user home directory under /var/vmail. I thought it is created when the first login success. Or am I wrong? Does iRedAdmin also create the user dir?

Dovecot will create maildir when user first login.

It's better to turn on all debug setting in dovecot for troubleshooting.

11

Re: [SOLVED]Migration from LDAP backed old mail server

After I enabled dovecot auth_debug I get this for imported users:


dovecot: Oct 25 09:51:46 Info: auth(default): ldap(test2@foo.bar,127.0.0.1): unknown user

But in phpldapadmin I see the accounts are there with the new created accounts in the same ldap tree. I am really confused now.

12

Re: [SOLVED]Migration from LDAP backed old mail server

I just found whats wrong. I used a python script that I found in one of forum posts to import my existing users. It lacks the enabledService: shadowaddress so imported users couldn't login to roundcube. Now everything is fine.

Thanks

13

Re: [SOLVED]Migration from LDAP backed old mail server

rahman wrote:

I just found whats wrong. I used a python script that I found in one of forum posts to import my existing users. It lacks the enabledService: shadowaddress so imported users couldn't login to roundcube. Now everything is fine.

Thanks

Can share the script ?

14

Re: [SOLVED]Migration from LDAP backed old mail server

Sure. But be aware that I removed "group" section from the original script as I don't use them. I used old servers phpldapadmin to export all accounts as CSV, this script to create iRedMail compatible ldif from csv file. Then new servers phpmyadmin to import the ldif. if you have non ascii chars in your old accounts dont use phpldapadmin to export csv file. It seems it doesn't use uft8.