Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Installation
Reload this Page Retrieve user passwords without resetting them

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
Page 3 of 3 < 12 3
 
LinkBack Thread Tools Search this Thread Display Modes
  #21 (permalink)  
Old 06-02-2008, 02:29 PM
Moderator
  
Posts: 1,554
Default
no answer yet? I think my answer was pretty good. Although it may take a bit of work. Maybe I didn't explain it properly.

Of course existing passwords are pretyt much unretrievable, that much is clear since I think they're already SHA encrypted and maybe you could try cracking them but that seems rather pointless. For existing passwords you're going to have to ask the users, or wireshark them I guess.

Anyway, openldap, which zimbra uses for it's store can be configured to store passwords as plain text. this is done by adding

password-hash {CLEARTEXT}

to the slapd.conf. This assumes zimbra's openldap hasn't been built with --disable-cleartext. Now when your users change hteir pasword, it should store them in plain text in the zimbra ldap server, and thus with the ldap root dn password you can view anyone's password.

Can any dev confirm this should work?
Reply With Quote
  #22 (permalink)  
Old 06-02-2008, 02:32 PM
Moderator
  
Posts: 1,027
Default
Quote:
Originally Posted by PNE View Post
Quite interesting discussion but as already said, no answer so far. How about this - look at /opt/zimbra/log/mailbox.log and you will find out that for POP3 sessions passwords are logged here. I still run a 4.5 version so I do not know if this is still valid in more recent versions and I do not know right now if you need to turn on some more detailed logging but passwords are definitely there. You just need to find password for the latest successfull login.
I could be wrong here (I have been before ) but I think that's only going to be true if you have "allow clear text login" enabled as an option for POP3, which a lot of us paranoids would strongly counsel against. Plus it'd only be true for POP3 logins, not for web client logins which are over a secure connection.

Remember that if you enable clear text login, not only can you recover passwords from the log, but any fool with a sniffer can recover passwords from your network connection. If that doesn't bother you, so be it, but it would bother me.
__________________
Cheers,

Dan
Reply With Quote
  #23 (permalink)  
Old 06-02-2008, 06:43 PM
Zimbra Employee
  
Posts: 580
Default
And of course, anyone with a password sniffer who wants to sniff the LDAP traffic for bind operations can get the password too, as long as it is an unencrypted bind. It would be far simpler to set up an AUX objectClass to store a question and answer set of attributes, and then set up a password reset page that uses a user selected question/answer set. You could even limit what questions they get to use. Like a lot of sites do.
__________________
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Reply With Quote
Reply
Page 3 of 3 < 12 3

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.