what encryption is used by Cyrus to encrypt passwords?

Tomasz Chmielewski mangoo at wpkg.org
Wed Mar 15 11:33:30 EST 2006

Craig White wrote:
> On Wed, 2006-03-15 at 16:40 +0100, Tomasz Chmielewski wrote:
>> info-cyrus at lists.andrew.cmu.edu wrote:
>>> Tomasz Chmielewski wrote:
>>>> I have a user base in two databases: one in LDAP, for Samba, and one 
>>>> in MySQL, for cyrus/mail.
>>>> It's not very comfortable, as I have to do the things twice.
>>>> So I thought of "leeching" the users and passwords from the LDAP 
>>>> database, filtering it through a script, and creating cyrus accounts 
>>>> this way.
>>>> There is one problem though - Samba accounts use SSHA encryption, and 
>>>> Cyrus doesn't.
>>>> What encryption is used by Cyrus?
>>>> When I look into MySQL database, the password look like that:
>>>> abcDe12FGHiJK
>>>> So it's 13 characters.
>>>> What encryption is it?
>>> Why not buil cyrus to read users from LDAP?
>> It would be problematic here.
>> Right now I have several LDAP (Samba) databases on different servers - 
>> for different user groups.
>> On the other hand, one MySQL (cyrus) database is used for all users.
>> So, if I wanted to make Cyrus read from LDAP, it would have to read from 
>> several LDAP servers.
>> Can it do it? I didn't google much, but perhaps it's either impossible, 
>> or hard to do.
>> So I assumed the approach I described earlier would be easier.
> ----
> I would expect that you could set up one of your LDAP servers to do
> referrals to the other proxy servers so you would only need to set up
> one LDAP reference within cyrus.

Technically, I should be able to do this.
Perhaps it's not the best group to ask - what will happen if the 
connection between the two LDAP server is broken, and we use referrals 
as here [1]:

   ref: ldap://b.example.net/dc=subtree,dc=example,dc=net

> I would also suggest that sambaNTPassword and sambaLMPassword attributes
> are not SSHA but rather a Microsoft form of hash. The userPassword
> attribute (if you samba users are also posixAccount/shadowAccount
> objectclasses) could possibly be SSHA.

This I know.
What I want to know is what Cyrus uses - certainly it's not a Microsoft 
hash :) and not SSHA.

[1] http://www.openldap.org/doc/admin23/referrals.html

Tomasz Chmielewski

More information about the Info-cyrus mailing list