Announcement

Collapse
No announcement yet.

Password synchrnisation OX --> Postfix/Cyrus

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password synchrnisation OX --> Postfix/Cyrus

    Hi everyone,

    I have a problem with password synchronization between OX and Cyrus/Postfix.

    Whenever a user changes his password in OX, he locks himself out of Cyrus/Postfix, because there he still has the old password.

    What I initially had in mind was to install a database trigger in the OX database (oxdb_6) that would update the password in the cyrus/postfix db (mail) whenever the user changes his ox password.

    The problem I now encounter is that the password encryption in ox is always different from those selectable in C/P.

    My idea is now to still have a trigger that writes the passwords to an additional table in the db, and having a java program running in the background that checks that table for changes.
    Whenever that new password is set in the oxdb_6, the program will convert the stored password from the ox encryption to one of the other encryptions/hashes (crypt, mysql, md5).

    However, this still seems a bit unpractical.
    Plus, I dont know how to get the plaintext password back from the OX-encrypted one.

    So what I'm asking is this: does any1 know how to encrypt/decrypt the stored OX passwords? Or is there an easier solution to this problem? (like re-compiling ox with a different crypto lib or sth?)

    Thanx in advance!

  • #2
    PAM supports SHA.....

    Just use PAM for Postfix and Cyrus....
    Then use pam-mysql....

    Load a base64 function into your MySql OX Database....
    And set your Pam-Mysql users.password_column to "lower(hex(BASE64_DECODE(user.userPassword)))" ...
    Change BASE64_DECODE to the Sql function you wish to use....

    Ensure that your passwords are set to SHA....
    Have fun.....

    Comment


    • #3
      And your pam-mysql has "users.password_crypt" is set to SHA1....

      Gotta sleep...

      Comment


      • #4
        Or just use this mechanism: http://oxpedia.org/wiki/index.php?ti...sswordExternal

        Comment


        • #5
          Why?

          Why have two separate Authentication sources?

          This *will* lead to synchronization problems.

          I just wish OX had the flexibility to auth with PAM, POSTGRES, SAMBA or any other auth sources....

          Comment


          • #6
            OX actually *has* a flexible authentication mechanism.
            Everybody can write own authentication mechanisms.

            Comment


            • #7
              And I could rewrite the whole database schema to provide for a simpler system.
              I could even re-implement the IMAP function work with LEMONADE compliant systems. Even adding a function to become a pure client certificate system... Who needs usernames/passwords anyway?

              Wouldn't it be nice to have a few easy lines to modify to direct to the auth source?

              This is where an Out of the Box experience will sell more products than a system that requires major customization......

              Comment


              • #8
                Even further.....
                Why does OX make the SHA1 password so complex?
                Why can't it simply be a standard HEX representation of a SHA1?

                This would make it compliant with most authentication mechanisms?

                Instead it is a Base64 encoded string of SHA1.....
                Where did this complexity enter the system?

                Comment

                Working...
                X