Hello all, At this time, there is no real security for password. There is an old problem, the support for SCRAM salted hashed password has missing and with or without OpenLDAP. I think it is time to add this support in SOGo for users security!
SCRAM exists since 2011. Some informations: - https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism State of Play: - https://github.com/scram-sasl/info/issues/1 Linked to: - https://bugs.sogo.nu/view.php?id=4869 ________________________________________ From: users-requ...@sogo.nu <users-requ...@sogo.nu> on behalf of Владимир Вишняков <users@sogo.nu> Sent: Tuesday, December 12, 2023 07:21 To: users@sogo.nu Subject: [SOGo] Authentication using ldap-md5 password fails Good afternoon I use a mailcow: dockerized mail server with an integrated container SOGO. After the update, sogo stopped allowing users whose password hash was generated using the {MD5} algorithm. Users whose password is generated by {BLF-CRYPT} are authenticated normally. I turned on the logs, in the logs I can see access to the database and retrieval of the password hash, but the password is not accepted. Dec 12 10:26:01 260deb884b40 2023-12-12 10:26:01.627 sogod[69:69] <MySQL4Channel[0x0x5562e2feb2e0] connection=0x0x5562e2b3b230> SQL: SELECT c_password FROM _sogo_static_view WHERE c_uid = 'pp_pet...@xx.xx'; Dec 12 10:26:01 260deb884b40 2023-12-12 10:26:01.627 sogod[69:69] <MySQL4Channel[0x0x5562e2feb2e0] connection=0x0x5562e2b3b230> query has results, entering fetch-mode. ... SOGoRootPage Login from 'MY.IP.AD.DR' for user 'pp_pet...@xx.xx' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 "c_password" field on _sogo_static_view contains hash like: {MD5}ZVN1hovmmV34NCxjRKIDVw== Base64 encoded MD5 hash userPasswordAlg setting: <key>userPasswordAlgoritm</key> <string>ldap-md5</string> i also try md5 What could be the problem? Plz help me fix it
