what encryption is used by Cyrus to encrypt passwords?

Tarjei Huse tarjei at nu.no
Thu Mar 16 14:56:54 EST 2006 

On ons, 2006-03-15 at 17:33 +0100, Tomasz Chmielewski wrote:
> Craig White wrote:
> > On Wed, 2006-03-15 at 16:40 +0100, Tomasz Chmielewski wrote:
> >> info-cyrus at lists.andrew.cmu.edu wrote:
> >>> Tomasz Chmielewski wrote:
> >>>> I have a user base in two databases: one in LDAP, for Samba, and one 
> >>>> in MySQL, for cyrus/mail.
> >>>>
> >>>> It's not very comfortable, as I have to do the things twice.
> >>>>
> >>>> So I thought of "leeching" the users and passwords from the LDAP 
> >>>> database, filtering it through a script, and creating cyrus accounts 
> >>>> this way.
> >>>>
> >>>> There is one problem though - Samba accounts use SSHA encryption, and 
> >>>> Cyrus doesn't.
> >>>>
> >>>> What encryption is used by Cyrus?
> >>>>
> >>>> When I look into MySQL database, the password look like that:
> >>>>
> >>>> abcDe12FGHiJK
> >>>>
> >>>> So it's 13 characters.
> >>>>
> >>>> What encryption is it?
> >>>>
> >>> Why not buil cyrus to read users from LDAP?
> >> It would be problematic here.
> >>
> >> Right now I have several LDAP (Samba) databases on different servers - 
> >> for different user groups.
> >>
> >> On the other hand, one MySQL (cyrus) database is used for all users.
> >>
> >> So, if I wanted to make Cyrus read from LDAP, it would have to read from 
> >> several LDAP servers.
> >>
> >> Can it do it? I didn't google much, but perhaps it's either impossible, 
> >> or hard to do.
> >>
> >>
> >> So I assumed the approach I described earlier would be easier.
> > ----
> > I would expect that you could set up one of your LDAP servers to do
> > referrals to the other proxy servers so you would only need to set up
> > one LDAP reference within cyrus.
> 
> Technically, I should be able to do this.
> Perhaps it's not the best group to ask - what will happen if the 
> connection between the two LDAP server is broken, and we use referrals 
> as here [1]:
> 
>    ref: ldap://b.example.net/dc=subtree,dc=example,dc=net
> 
> 
> > I would also suggest that sambaNTPassword and sambaLMPassword attributes
> > are not SSHA but rather a Microsoft form of hash. The userPassword
> > attribute (if you samba users are also posixAccount/shadowAccount
> > objectclasses) could possibly be SSHA.
> 
> This I know.
> What I want to know is what Cyrus uses - certainly it's not a Microsoft 
> hash :) and not SSHA.

As I said, cyrus can use a lot of different hashes depending on how you
configure it. Read up on cyrus-sasl.

I think you should consider looking into the replication and syncing
features of openldap. You should probably be able to use that to have a
slave ldapserver on the mailserver with the other ldapservers as masters
for their own subtrees.

This will also give you a handy backup :-)


Tarjei

> 
> [1] http://www.openldap.org/doc/admin23/referrals.html
> 
-- 
Tarjei Huse <tarjei at nu.no>

More information about the Info-cyrus mailing list