what encryption is used by Cyrus to encrypt passwords?

Craig White craigwhite at azapple.com
Wed Mar 15 11:55:19 EST 2006 

On Wed, 2006-03-15 at 17:33 +0100, Tomasz Chmielewski wrote:
> Craig White wrote:
> > On Wed, 2006-03-15 at 16:40 +0100, Tomasz Chmielewski wrote:
> >> info-cyrus at lists.andrew.cmu.edu wrote:
> >>> Tomasz Chmielewski wrote:
> >>>> I have a user base in two databases: one in LDAP, for Samba, and one 
> >>>> in MySQL, for cyrus/mail.
> >>>>
> >>>> It's not very comfortable, as I have to do the things twice.
> >>>>
> >>>> So I thought of "leeching" the users and passwords from the LDAP 
> >>>> database, filtering it through a script, and creating cyrus accounts 
> >>>> this way.
> >>>>
> >>>> There is one problem though - Samba accounts use SSHA encryption, and 
> >>>> Cyrus doesn't.
> >>>>
> >>>> What encryption is used by Cyrus?
> >>>>
> >>>> When I look into MySQL database, the password look like that:
> >>>>
> >>>> abcDe12FGHiJK
> >>>>
> >>>> So it's 13 characters.
> >>>>
> >>>> What encryption is it?
> >>>>
> >>> Why not buil cyrus to read users from LDAP?
> >> It would be problematic here.
> >>
> >> Right now I have several LDAP (Samba) databases on different servers - 
> >> for different user groups.
> >>
> >> On the other hand, one MySQL (cyrus) database is used for all users.
> >>
> >> So, if I wanted to make Cyrus read from LDAP, it would have to read from 
> >> several LDAP servers.
> >>
> >> Can it do it? I didn't google much, but perhaps it's either impossible, 
> >> or hard to do.
> >>
> >>
> >> So I assumed the approach I described earlier would be easier.
> > ----
> > I would expect that you could set up one of your LDAP servers to do
> > referrals to the other proxy servers so you would only need to set up
> > one LDAP reference within cyrus.
> 
> Technically, I should be able to do this.
> Perhaps it's not the best group to ask - what will happen if the 
> connection between the two LDAP server is broken, and we use referrals 
> as here [1]:
> 
>    ref: ldap://b.example.net/dc=subtree,dc=example,dc=net
> 
> 
> > I would also suggest that sambaNTPassword and sambaLMPassword attributes
> > are not SSHA but rather a Microsoft form of hash. The userPassword
> > attribute (if you samba users are also posixAccount/shadowAccount
> > objectclasses) could possibly be SSHA.
> 
> This I know.
> What I want to know is what Cyrus uses - certainly it's not a Microsoft 
> hash :) and not SSHA.
> 
> [1] http://www.openldap.org/doc/admin23/referrals.html
----
I think that Aleksandar has already answered the second question and the
first question...if the connection to the LDAP server isn't available,
then the user won't be able to log in when the system to authenticate
the user isn't available.

Craig

More information about the Info-cyrus mailing list