No announcement yet.

sync password do not work?

  • Filter
  • Time
  • Show
Clear All
new posts

  • sync password do not work?


    I am running the script to sync my openldap users with the ox database and it works fine!

    But the passwords...... something is wrong there.

    I've set my password to SHA on openldap, because I saw that it is the default on ox, but I've also tried with md5... and I cannot login, the password does not matches.

    The password update is working, but apparently something is wrong.

    If I set the password by hand like "secret" I can login, so the user creating is fine, is it just the password.

    How can I debug this? Do I need to configure something else?? Anyone with the same problem??

    Many thanks!

  • #2

    not exactly sure what you did so far but if you sync your users via oxldapsync to OX the passwords are not synced.
    In this scenario the authentication is still supposed to be done using LDAP. That means that the user passwords in the OX database are not used but it's verified via LDAP. For that you would need to install open-xchange-authentication-ldap and configure it correctly.


    • #3

      OK, yes I see what you mean. I was testing the LDAP auth, but regarding the password sync, I've configured mapping.openldap.conf with:

      password = userPassword

      Then I see at the output of something like:

      /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password --access-collect-email-addresses "on" --password "{MD5}kICxaS7wkSrLA5obU8j+nw==" ................ user susan.calvin in context 1 changed

      That's what I meant. But looks like the hash is wrong somehow. I just don't want to set a global password for all the users.

      Last edited by ma123; 07-14-2014, 10:54 AM. Reason: typo


      • #4
        oxldapsync is not meant to synchronize passwords.
        This never has been tested, most likely does not work because of different syntax and encodings and so on.

        A global password as set in the oxldapsync mapping but it's not used for the enduser if the authentication-ldap plugin is used.
        (It's still used for context authentication in the provisioning interface though.)


        • #5

          Thanks for the reply!

          So let me explain what I am trying to accomplish here... maybe there is another way?

          Currently I am authenticating OX users with the mysql database, and the mail server which runs postfix/dovecot it is configured to authenticate with the same database... the user table from oxdatabase_5. This is working fine, but I need to migrate my users to openldap.

          Then I'll also need to switch postfix/dovecot auth to openldap because of the passwd sync issue? Right?

          Still, I've tested the openldap mapping to a hardcoded password, same as ldap side, and that also failed. I mean, I can authenticate the use with ldap, but then it cannot get to the mailbox because it fail to authenticate with imap which users the user table at oxdatabase_5 to get user/passwd via mysql query. Or I did something wrong in the middle??

          And regarding the ldapauth, I cannot authenticate with users that are not directly under the baseDN, even with the subtreeSearch=true option. Any idea on how to fix this? It is working for a user that it is just at the baseDN, but then I have several OUs with users that cannot be found to authenticate.



          • #6
            I do not fully understand your usecase.
            If you have to migrate to LDAP for some reason then LDAP should be the authoritative owner of the user passwords.
            Just switch Dovecot/Postfix to use LDAP as well as OX to use LDAP via oxldapsync and authentication-ldap.
            Or you even have the choice to use oxldapsync and authenticate using authentication-imap which should just work as well (but is one more step in the process).

            For you problem with the subtrees: I'm not sure. Do your users login with their LDAP uid or with any other attribute?


            • #7
              Hi Wolfgang,


              Regarding subtree issue, yes, the users login with the uid. It is funny that it works for a user on the base tree, but not for the users below the OUs.

              Thanks again!


              • #8
                Hi M,

                that debugging can be a bit problematic.
                You could open a bug at for the community edition. This won't have any SLA though or if you have a commercial license for OX you might be able to contact support.

                Depending on the version you are running you can enable more verbose logging for the authentication via CLT:

                logconf -l com.openexchange.authentication.ldap.LDAPAuthentic ation=TRACE

                during runtime and see if you can recognize what the issue is from the logging.