[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ispman-users
Subject:    Re: [Ispman-users] crypt vs ssha in ispman
From:       Jeff Meden <jmeden () qn ! net>
Date:       2004-01-22 23:04:06
Message-ID: 401056E6.8030308 () qn ! net
[Download RAW message or body]

Tony Wasson wrote:

>>>Ive noticed a very odd problem with openldap root passwords when using
>>>v 2.1 or 2.2.  The crypt key generated by ispman isnt useful at all,
>>>the cli tools and the web interface both return invalid credentials.
>>>If i replace it with a ssha key (the default from slappasswd) the cli
>>>tools all work fine, but the web interface continues to give the same
>>>error.  Any insight on this would be greatly appreciated.  Thanks!
>>>
>>>Jeff Meden
>>>      
>>>
>
>  
>
>>More info:  I went on to test the same installation of freeBSD with
>>every version of ldap, with the various possible keys for the ldap
>>password.  In changing only the version of ldap, keeping the key
>>algorithm the same (ssha) I had success on the web interface with 2.0
>>but not with 2.1 and 2.2.  This leads me to believe there must be
>>something different about the authenication coming from the site than
>>from something running at the command line, and something that is
>>incompatible with newer versions of openLDAP.  Has anyone else noticed
>>this?  Its perfectly possible that im missing a newer component in
>>perl/apache that allows compatibility, but since ISPman is the only web
>>tool I use that incorporates ldap, I don't have a lot to go on.
>>    
>>
>
>Jeff,
>
>As far as I know, ISPMan is not tested with ssha. A list of the supported
>hash methods is inside the Admin Interface, click Configure, then System
>Configuration.
>
>"The hash method to use for controlpanel passwords, choose one of: clear,
>crypt, md5, sha"
>
>I'm not sure why the crypt password is not working for you. I know that
>there are people using openldap on FreeBSD. I've heard that someone wrote
>a BSD install guide, but I have never seen it. If you get the changes
>needed to make seeded SHA work, please post it. In the meantime, I guess
>you'll have to try SHA or MD5.
>
>Tony Wasson
>
>
>  
>
I think my problem is coming from a couple of things, first of which is 
that I can't tell the difference between an openldap auth rejection and 
the control panel auth rejection, both i believe are designed to say 
'invalid credentials'.  Let me make sure I understand this.  The ispman 
base (the website and the CLI tools) uses the password stored in 
ispman.conf for the openldap auth, and that password just happens to be 
the same as the one that is set for the user ispman within the ldap 
database, which is what's needed to log in to the web site.  So its safe 
to say that if the cleartext that gets passed to openldap is the right 
password, that it should work both ways.  On the inside, the default 
hash method, which we're thinking for some reason crypt isnt good for, 
should then be changed to something likd md5, the ispman account reset 
with an md5 hash, and login should be assured?  Pretty clever.  It 
worked.  I'm definately interested in contributing to the project, and 
hopefully a few more days of finding things to break will give me enough 
experience to make a difference.   Thanks go to you and scott for 
pointing this out.

Jeff Meden


>
>-------------------------------------------------------
>The SF.Net email is sponsored by EclipseCon 2004
>Premiere Conference on Open Tools Development and Integration
>See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
>http://www.eclipsecon.org/osdn
>_______________________________________________
>Ispman-users mailing list
>Ispman-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/ispman-users
>
>  
>



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Ispman-users mailing list
Ispman-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ispman-users
[prev in list] [next in list] [prev in thread] [next in thread]