Hello,
Evaluating sogo 2.3.1-1 with OpenLDAP 2.4.31 and cyrus-imapd 2.4.16 on Debian
wheezy.
Login and webmail with LDAP credentials work fine, but I cannot change my
(LDAP-) password through SOGo.
When I open the preferences app, enter a new password twice and press the
'Change'-button, SOGo shows the error message:
in browser:
Unhandled policy error: 32766
in /var/log/sogo/sogo.log:
Sep 11 13:46:56 sogod [26132]: <0x0x7f4bd3ef8230[NGLdapConnection]> Using
ldap_initialize for LDAP URL: ldaps://ldap.jfranken:636
2015-09-11 13:46:56.024 sogod[26132] -[NGLdapConnection
_searchAtBaseDN:qualifier:attributes:scope:]: search at base '' filter
'(objectclass=*)' for attrs 'supportedCapabilities'
Sep 11 13:46:56 sogod [26132]: [ERROR] <0x0x7f4bd393beb0[LDAPSource]>
Unsupported user-password algorithm: ssha
Sep 11 13:46:56 sogod [26132]: 82.113.106.202 "GET /SOGo/changePassword
HTTP/1.1" 403 34/0 0.036 - - 8K
A tcpdump shows one LDAP request only, searching for that 'supportedCapability'
attribute, which is ActiveDirectory-specific and thus unavailable on vanilla
OpenLDAP.
This proves, that SOGo does not even try to change the password on the LDAP
server.
It only checks for AD-compatibilty, complains about the algorithm, and then
immediately returns HTTP code 403.
Relevant part of /etc/sogo/sogo.conf:
SOGoPasswordChangeEnabled = YES;
LDAPDebugEnabled = YES;
//
SOGoUserSources = (
{
id = LDAP_users;
displayName = "LDAP users";
type = ldap;
hostname = "ldaps://ldap.jfranken:636";
baseDN = "ou=people,dc=jfranken,dc=de";
bindAsCurrentUser = YES;
canAuthenticate = YES;
isAddressBook = NO;
passwordPolicy = NO; // YES leads to "Unhandled HTTP error code:
502"
userPasswordAlgorithm = ssha; // match OpenLDAP option 'olcPasswordHash'
CNFieldName = displayname; // use ldap-attribute "displayName"
as fullname in From:
IDFieldName = cn; // to be entered into the login field
UIDFieldName = cn; // internal username in SOGo and against IMAP
},
{
id = LDAP_contacts;
type = ldap;
canAuthenticate = NO;
// ... CUT ...
}
);
I even tried faking AD compatibilty once (adding a 'olcRootDSE'-attribute to
dn:cn=config, pointing to an LDIF-file containing 'supportedCapabilities:
1.2.840.113556.1.4.800').
Looked cool in phpLDAPadmin, but did not impress SOGo either.
I don't believe this is a problem with our LDAP server's configuration, because
1.) there is no LDAP modification request from SOGo
2.) there is no ppolicy overlay configured on the LDAP server.
3.) from the sogo server's shell, I can change my LDAP password successfully:
$ ldappasswd -x -H ldaps://ldap.jfranken -D
'cn=jfranken,ou=people,dc=jfranken,dc=de' -w 'OLD_PW' -s 'NEW_PW'
ldap_initialize( ldaps://ldap.jfranken:636/??base )
Result: Success (0)
So, what's the problem with userPasswordAlgorithm?
Regards,
--
Johannes Franken
Professional unix/network development
mailto:[email protected]
http://www.jfranken.de/
--
[email protected]
https://inverse.ca/sogo/lists
