View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003349SOGoBackend Generalpublic2015-09-19 13:112021-11-17 14:49
Reporterjfranken Assigned To 
PrioritylowSeverityminorReproducibilityalways
Status closedResolutionsuspended 
Platform[Server] LinuxOSDebianOS Version7 (Wheezy)
Product Version2.3.2 
Summary0003349: change LDAP passwords through SOGo
Description

I cannot change my (LDAP-) password through SOGo.

SOGo shows this error message in browser:
Unhandled policy error: 32766

and in /var/log/sogo/sogo.log:
Sep 11 13:46:56 sogod [26132]: <0x0x7f4bd3ef8230[NGLdapConnection]> Using ldap_initialize for LDAP URL: ldaps://ldap.jfranken:636
2015-09-11 13:46:56.024 sogod[26132] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base '' filter '(objectclass=*)' for attrs 'supportedCapabilities'
Sep 11 13:46:56 sogod [26132]: [ERROR] <0x0x7f4bd393beb0[LDAPSource]> Unsupported user-password algorithm: ssha
Sep 11 13:46:56 sogod [26132]: 82.113.106.202 "GET /SOGo/changePassword HTTP/1.1" 403 34/0 0.036 - - 8K

Steps To Reproduce

open the preferences app, enter a new password twice and press the 'Change'-button.

Relevant part of /etc/sogo/sogo.conf:

SOGoPasswordChangeEnabled = YES;
LDAPDebugEnabled = YES;
//
SOGoUserSources = (
{
id = LDAP_users;
displayName = "LDAP users";
type = ldap;
hostname = "ldaps://ldap.jfranken:636";
baseDN = "ou=people,dc=jfranken,dc=de";
bindAsCurrentUser = YES;
canAuthenticate = YES;
isAddressBook = NO;
passwordPolicy = NO; // YES leads to "Unhandled HTTP error code: 502"
userPasswordAlgorithm = ssha; // match OpenLDAP option 'olcPasswordHash'
CNFieldName = displayname; // use ldap-attribute "displayName" as fullname in From:
IDFieldName = cn; // to be entered into the login field
UIDFieldName = cn; // internal username in SOGo and against IMAP
},
{
id = LDAP_contacts;
type = ldap;
canAuthenticate = NO;
// ... CUT ...
}
);

Additional Information

A tcpdump shows one LDAP request only, searching for that 'supportedCapability' attribute, which is ActiveDirectory-specific and thus unavailable on vanilla OpenLDAP.

This proves, that SOGo does not even try to change the password on the LDAP server.
It only checks for AD-compatibilty, complains about the algorithm, and then immediately returns HTTP code 403.

I even tried faking AD compatibilty once (adding a 'olcRootDSE'-attribute to dn:cn=config, pointing to an LDIF-file containing 'supportedCapabilities: 1.2.840.113556.1.4.800').
Looked cool in phpLDAPadmin, but did not impress SOGo either.

I don't believe this is a problem with our LDAP server's configuration, because
1.) there is no LDAP modification request from SOGo
2.) there is no ppolicy overlay configured on the LDAP server.
3.) from the sogo server's shell, I can change my LDAP password successfully:
$ ldappasswd -x -H ldaps://ldap.jfranken -D 'cn=jfranken,ou=people,dc=jfranken,dc=de' -w 'OLD_PW' -s 'NEW_PW'
ldap_initialize( ldaps://ldap.jfranken:636/??base )
Result: Success (0)

So, what's the problem with userPasswordAlgorithm?

TagsNo tags attached.

Activities

ludovic

ludovic

2015-09-25 17:21

reporter   ~0008957

Have a look at http://www.sogo.nu/nc/support/faq/article/how-do-i-debug-sogo.html

Set a breakpoint on:

asCryptedPassUsingScheme:withSalt:andEncoding:

and check the value of "cryptedData" after these calls:

cryptedData = [self dataUsingEncoding: NSUTF8StringEncoding];
cryptedData = [cryptedData asCryptedPassUsingScheme: passwordScheme withSalt: theSalt];
jfranken

jfranken

2015-09-27 15:27

reporter   ~0008966

Could not set the breeakpoint, because this function appears to be not loaded:

(gdb) br asCryptedPassUsingScheme:withSalt:andEncoding:
No source file named asCryptedPassUsingScheme.
Make breakpoint pending on future shared library load? (y or [n])

(gdb) info functions asCryptedPassUsingScheme
All functions matching regular expression "asCryptedPassUsingScheme":
(gdb)

Maybe that's the problem here?
Using Debian-package sogo:amd64 2.3.2-1 from inverse.ca
ludovic

ludovic

2015-10-23 15:36

reporter   ~0009025

Also install the sogo-dbg packages.
jfranken

jfranken

2015-10-23 18:05

reporter   ~0009033

They had been installed already.
francis

francis

2021-11-17 14:49

administrator   ~0015623

Try a recent version of SOGo. Reopen if necessary.

Issue History

Date Modified Username Field Change
2015-09-19 13:11 jfranken New Issue
2015-09-25 17:21 ludovic Note Added: 0008957
2015-09-27 15:27 jfranken Note Added: 0008966
2015-10-23 15:36 ludovic Note Added: 0009025
2015-10-23 18:05 jfranken Note Added: 0009033
2021-11-17 14:49 francis Status new => closed
2021-11-17 14:49 francis Resolution open => suspended
2021-11-17 14:49 francis Note Added: 0015623