virtualmin + openldap + centos 6.6 final, domain owner can not login after domain create.

Hello Folks!

I have found a problem. I use latest virtualmin GPL version installed on top of a minimal Centos 6.6 final (fully updated to latest of everything).

OpenLDAP is configured accordingly the virtualmin ldap found on virtualmin pages.

After creating the domain, the domain owners can not login, you have to set password one more time inside virtualmin for the domain owner, then they can login.

By doing getent shadow one can see that directly after creating a domain, the pass-hash is much longer than after setting the password again.

Directly after domain is created in virtualmin as root user: getent shadow | grep fretom fretom:{ssha}$6$16049367$vFnalKfSqLVu.C4JLMuYUXeUImNvS9.m47JRT43DFbc9WwwioHj87.9sfZLFFJvyzSrZk5.AwZjVEi5r2ekj30:16389::::::0

getent passwd | grep fretom fretom:x:500:500:FT:/home/fretom:/bin/sh

genet group | grep fretom fretom::500:apache

The domain owner/user fretom can not login using: ssh/ftp/webmin/usermin

After changing password using virtualmin as root user a second time: getent shadow | grep fretom fretom:{ssha}Oe3/jyx/xIdRCJByLlmt+eOkKHzp/3yd:16389::::::0

Now all is working normally, the user fretom can login using ssh/ftp/webmin/usermin.

It seems like virtualmin at create time uses sha512 and then after that start using sha256 or some sha.

I have fiddled around with /etc/login.defs /etc/pam_ldap.conf webmin ldap client module, webmin ldap users and groups settings for password and authconfig --passalgo sha512 --update, and different passalgo. Nothing helped, it either becomes CRYPT or the same or md5 or the same as second password attempt.

All tested, same result, domain owner can not login first time after changing password a second time: Encryption method for passwords LDAP MD5 Unix MD5 crypt Plain text LDAP SSHA Unix SHA

login.defs: ENCRYPT_METHOD SHA512 If trying with sha256, the result is CRYPT not SHA.

pam_ldap.conf: pam_password exop

I think also there is a problem with OpenLDAP, it seems not to like sha512 due to first time one can not login, but that I think is another story.

Everything installed is as much default as possible, yum/rpm installed packages only no "self compiled" stuff.

It is either a strange bug or some conflict in the settings.

Status: 
Active

Comments

Have you tried setting a different password hashing format at Webmin -> System -> LDAP Users and Groups -> Module Config -> New user options -> Encryption method for passwords ?

Hello Jamie!

Yes, we tried all of them, it made no difference.

Did the format or length of the first hashed password change in any way, or did it always start with $6$ ?

Hello Jamie!

It always started with $6$ first time, changing /etc/login.defs password algorithm to sha256 and it ends up with crypt instead, always first time. The same happens if you use authconfig and pick password algorithm to sha256

Do you perhaps have your ldap server setup to do its own hashing of the password supplied when adding a user?

will look into that, but nothing I am aware about so to say.

I've seen this problem reported by other users, and that LDAP server setting was the cause.