Bug#748065: gosa: decryption of LDAP password fails (encrypted with gosa-encrypt-passwords)

[Andreas B. Mundt]

Hi Mike,

On Sun, May 18, 2014 at 09:27:22PM +0000, Mike Gabriel wrote:

> hope you are doing well!!!

Thanks, I am fine!  I hope you and your family are fine too.

> On  Di 13 Mai 2014 21:44:56 CEST, Andreas B. Mundt wrote:
[...]

> >the decryption of the LDAP password (which has been encrypted by
> >gosa-encrypt-passwords) seems to fail in jessie:
> >
> >When trying to login at the GOsa web interface, an error regarding the
> >LDAP connection happens ('Error while connecting to LDAP: Could not
> >bind to ... ').
> >
> >After copying gosa.conf.orig to gosa.conf (with read permissions for
> >group www-data), things work again as expected.
> >
> >So the decryption of the LDAP password which has been encrypted by
> >running gosa-encrypt-passwords seems not to work.
> >

> Do you have a clue why this happens. Feel like asking before I start digging
> in the upstream code...

No, I am sorry.  I tried to find out more, ran the encryption with the
gosa-encrypt-passwords script again, but nothing suspicious showed up.

I am not sure if the problem is in GOsa or in the new apache version,
as the idea of the encrytion IIRC is that the webserver uses the
gosa.secret file (which must only be readable by root) to decrypt the
encrypted password in gosa.conf (readable by www-data).  I have no
clue about the mechanism used to achive that, so perhaps something
changed there.  But I saw nothing in apache's logs either (Perhaps
some debugging flag is needed).

A big "thank you" for all your work on GOsa so far.  I hope 'we' can
fix that one too ...

Best regards,

     Andi