headers
Mike Jackson | 28 Sep 2002 22:22
Picon

Re: Solaris Password Conversion

Thomas J. Zamberlan (tomz <at> voyagernetworks.com) wrote:
> angry customers.  I've found lots of information converting Linux's
> /etc/shadow but Solaris uses the old 13char string format.  Any help
> would be greatly appreciated.

Put a trojan in your imap or pop daemon to collect the cleartext after
successful logins, then convert them to sha and use perl to make an
ldif.

--

-- 
Mike
Permalink | Reply | 0 comments |
headers
Thomas J. Zamberlan | 28 Sep 2002 21:59

Solaris Password Conversion

I know I've got to be missing something easy here, but I've been having
trouble answering this question.  I have an old Solaris 7 server with
2000+ user accounts in /etc/shadow format handling email.  I'm switching
to a new qmail-ldap system on several FreeBSD systems.  How on earth do
I convert the user passwords from the Solaris /etc/shadow crypt style to
a format that will work with qmail-ldap.  Just copying the entry from
/etc/shadow into an ldif file for a user, and loading that into the LDAP
server doesn't work.  I can set up the account with a MD5 digest and
things work great, but you need the cleartext to generate that.  At some
point we'll slowly migrate customers to use something more secure than
crypt, but I need to find a way to use the /etc/shadow file contents in
the userPassword attribute on each users LDAP entry to avoid a bunch of
angry customers.  I've found lots of information converting Linux's
/etc/shadow but Solaris uses the old 13char string format.  Any help
would be greatly appreciated.

- Tom
Permalink | Reply | 13 comments |
headers
Henning Holtschneider | 29 Sep 2002 17:57
Favicon

documentation typo ~control/pbsserver vs. ~control/pbsservers

Hi,

I just activated the POP before SMTP function from the latest qmail-ldap
patch on one of our servers. The documentation says that the pbs server's
IP address is being stored in ~control/pbsserver but the code reads
~control/pbsservers. This should be fixed in the documentation to avoid
confusion - especially because pbscheck will only report "unable to read
controls", but it doesn't say *which* file can't be read ;-)

Regards,

     <-gninneH<-
--
   __                 _  __    __   Henning Holtschneider
  / /  ___  _______ _/ |/ /__ / /_  <henning <at> loca.net>
 / /__/ _ \/ __/ _ `/    / -_) __/
/____/\___/\__/\_,_/_/|_/\__/\__/  ...net happens!
Permalink | Reply | 1 comment |
headers
Claudio Jeker | 29 Sep 2002 18:58

Re: Updated qmail-ldap schema for OpenLDAP 2.1.x

On Sat, Sep 28, 2002 at 06:06:20PM +0300, Mike Jackson wrote:
> The qmail.schema file included with the patch does not load in OpenLDAP
> 2.1.4 or 2.1.5, due to OpenLDAP becoming stricter about enforcing schema
> rules.
> 
> I have fixed the schema, and attached it below. I can do one for Sun ONE
> later, when I have time.

One question:
Why is the mailHost a UTF-8 string and not a normal ASCII string?
OID 1.3.6.1.4.1.1466.115.121.1.15 instead of
OID 1.3.6.1.4.1.1466.115.121.1.26?

The rest seems OK and the schema will be included in the next
release.

> attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost'
> 	DESC 'On which qmail server the messagestore of this user is located.'
> 	EQUALITY caseIgnoreMatch
> 	SUBSTR caseIgnoreSubstringsMatch
> 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE)
> 

Thanks for the corrected schema.
--

-- 
:wq Claudio
Permalink | Reply | 1 comment |
headers
Claudio Jeker | 29 Sep 2002 18:58

Re: documentation typo ~control/pbsserver vs. ~control/pbsservers

On Sun, Sep 29, 2002 at 05:57:57PM +0200, Henning Holtschneider wrote:
> Hi,
> 
> I just activated the POP before SMTP function from the latest qmail-ldap
> patch on one of our servers. The documentation says that the pbs server's
> IP address is being stored in ~control/pbsserver but the code reads
> ~control/pbsservers. This should be fixed in the documentation to avoid
> confusion - especially because pbscheck will only report "unable to read
> controls", but it doesn't say *which* file can't be read ;-)
> 
Thanks for the report, has been fixed.

--

-- 
:wq Claudio
Permalink | Reply | 0 comments |
headers
Mike Jackson | 29 Sep 2002 19:24
Picon

Re: Updated qmail-ldap schema for OpenLDAP 2.1.x

Claudio Jeker (cjeker <at> diehard.n-r-g.com) wrote:
> One question:
> Why is the mailHost a UTF-8 string and not a normal ASCII string?
> OID 1.3.6.1.4.1.1466.115.121.1.15 instead of
> OID 1.3.6.1.4.1.1466.115.121.1.26?

It seems that I made a typo. That's why it's best to have more than one
person look at something new. 

When using .26, you also need to change the EQUALITY and SUBSTR lines or
the schema will not load and slapd will not start (IA5):

attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost'
        DESC 'On which qmail server the messagestore of this user is located.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE)

 
> The rest seems OK and the schema will be included in the next
> release.
> 
> Thanks for the corrected schema.

You're welcome. I've used this software so much, I'm glad to contribute.

--

-- 
Mike
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kevin Ying | 30 Sep 2002 07:35

Auto-reply: deliveryMode: reply nombox

Do any of you use the auto-reply feature but not include a mailbox for the
recipient?

Using "deliveryMode: reply nombox" does not appear to work for me...

I actually have to assign a "mailMessageStore" and only then will delivery
actually occur, and then qmail reports:

success:
Error:_undefined_mail_delivery_mode:_deliveryMode=nombox_reply_(ignored)._
(LDAP-ERR_#2.1.2)/did_1+0+0/

If I set deliveryMode to reply, it goes thru but then mail get
delivered... which I don't want, because I just want an account that has
auto-reply but no mailbox.
Permalink | Reply | 5 comments |
headers
Kristof Bajnok | 30 Sep 2002 09:15
Picon
Favicon

Re: Solaris Password Conversion

IMHO, at least iPlanet DS knows crypt encryption, so one can copy the 
encrypted password from the shadow file to the ldif. In this case, you have 
to prefix the password with {crypt}.
I think the same cannot be applied to MD5-encrypted passwords (linux'es, ...) 
while iPlanet cannot handle that kind of encryption (at least according to: 
http://docs.sun.com/source/816-5609-10/aci.htm#15410 )

I wouldn't use any cleartext password-collecting trojans until there is a 
pale distant light of reaching success another way. I'm just busy enough to 
keep these trojans away from our systems.

Regards,

Kristof

2002. september 28. 21:59 you wrote:
> I know I've got to be missing something easy here, but I've been having
> trouble answering this question.  I have an old Solaris 7 server with
> 2000+ user accounts in /etc/shadow format handling email.  I'm switching
> to a new qmail-ldap system on several FreeBSD systems.  How on earth do
> I convert the user passwords from the Solaris /etc/shadow crypt style to
> a format that will work with qmail-ldap.  Just copying the entry from
> /etc/shadow into an ldif file for a user, and loading that into the LDAP
> server doesn't work.  I can set up the account with a MD5 digest and
> things work great, but you need the cleartext to generate that.  At some
> point we'll slowly migrate customers to use something more secure than
> crypt, but I need to find a way to use the /etc/shadow file contents in
> the userPassword attribute on each users LDAP entry to avoid a bunch of
> angry customers.  I've found lots of information converting Linux's
> /etc/shadow but Solaris uses the old 13char string format.  Any help
(Continue reading)

Permalink | Reply | 10 comments |
headers
Mike Jackson | 30 Sep 2002 09:14
Picon

Re: Auto-reply: deliveryMode: reply nombox

Kevin Ying (kevin <at> yikes.com) wrote:
> Do any of you use the auto-reply feature but not include a mailbox for the
> recipient?
> 
> Using "deliveryMode: reply nombox" does not appear to work for me...
> 
> I actually have to assign a "mailMessageStore" and only then will delivery
> actually occur, and then qmail reports:
> 
> success:
> Error:_undefined_mail_delivery_mode:_deliveryMode=nombox_reply_(ignored)._
> (LDAP-ERR_#2.1.2)/did_1+0+0/
> 
> If I set deliveryMode to reply, it goes thru but then mail get
> delivered... which I don't want, because I just want an account that has
> auto-reply but no mailbox.

The simplest way to achieve this is to use "reply", make a file called:

/var/qmail/alias/.qmail-user

containing only the pound sign:

#

The pound sign is the .qmail equivalent of sending the message to
/dev/null.

Maybe this will be fixed someday. It's the same problem when you want to
store aliases in LDAP - you have to point them to a mailMessageStore
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mike Jackson | 30 Sep 2002 09:26
Picon

Re: Solaris Password Conversion

Kristof Bajnok (bajnokk <at> sztaki.hu) wrote:
> 
> I wouldn't use any cleartext password-collecting trojans until there is a 
> pale distant light of reaching success another way. I'm just busy enough to 
> keep these trojans away from our systems.

I meant to write your own for this one specific administrative
purpose. iPlanet only supports {crypt} (which is too weak to be
used, imho), and {sha}. There is no way to convert md5 from linux
password files to sha, unless you learn how to factor large numbers
quickly. Of course, if you can do that then you will be a rich man
and no longer need to be fooling around with email systems.

--
Mike
Permalink | Reply | 9 comments |

Gmane