dovecotlist at encambio.com
2009-Apr-08 22:31 UTC
[Dovecot] Trying nonplaintext mech with LDAP password-hash
Hello List,
The only passdb block in /pfx/etc/dovecot/dovecot.conf is:
passdb ldap {
args = /pfx/etc/dovecot/dovecot-ldap.conf
}
In /pfx/etc/dovecot/dovecot-ldap.conf:
auth_bind = no
dn = cn=mymgr,dc=host,dc=tld
dnpass = ********
default_pass_scheme = LDAP-MD5
In /pfx/etc/openldap/slapd.conf:
password-hash {MD5}
If I try:
$ /pfx/bin/ldapsearch <...> \
| grep '^userPassword' \
| sed -e 's;.*:: \(.*\)$;\1;' \
| mimencode -u
...I get the correct password (MD5 hashed.)
According to wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups this
should work, and indeed when starting dovecot it does not complain
about:
'CRAM-MD5 mechanism can't be supported with given passdbs'
Instead it starts right up, but when a thunderbird client
connects and tries authenticating with CRAM-MD5 it fails.
In the wiki page 'PasswordLookups' it mentions:
Supports non-plaintext authentication mechanisms (if
returning plaintext/properly hashed passwords).
I've already verified that this works correctly with plaintext
(CLEARTEXT in slapd.conf), but I really want to store the passwords
in LDAP using some hash. Why doesn't LDAP-MD5 work as advertised?
What did the author mean by 'properly hashed passwords'? Thanks.
--
Eduard
Timo Sirainen
2009-Apr-08 22:39 UTC
[Dovecot] Trying nonplaintext mech with LDAP password-hash
On Thu, 2009-04-09 at 00:31 +0200, dovecotlist at encambio.com wrote:> I've already verified that this works correctly with plaintext > (CLEARTEXT in slapd.conf), but I really want to store the passwords > in LDAP using some hash. Why doesn't LDAP-MD5 work as advertised?Because it's impossible to support it. Read http://wiki.dovecot.org/Authentication/Mechanisms> What did the author mean by 'properly hashed passwords'? Thanks.I made it a link now to http://wiki.dovecot.org/Authentication/PasswordSchemes#Non-plaintext_authentication_mechanisms -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090408/2e5fdaf3/attachment-0002.bin>
dovecotlist at encambio.com
2009-Apr-08 23:10 UTC
[Dovecot] Trying nonplaintext mech with LDAP password-hash
Hello Timo, An mer., avr 08, 2009, Timo Sirainen schrieb:>On Thu, 2009-04-09 at 00:31 +0200, dovecotlist at encambio.com wrote: >> I've already verified that this works correctly with plaintext >> (CLEARTEXT in slapd.conf), but I really want to store the passwords >> in LDAP using some hash. Why doesn't LDAP-MD5 work as advertised? > >Because it's impossible to support it. Read >http://wiki.dovecot.org/Authentication/Mechanisms > >> What did the author mean by 'properly hashed passwords'? Thanks. > >I made it a link now to >http://wiki.dovecot.org/Authentication/PasswordSchemes#Non-plaintext_authentication_mechanisms >The new text clears up the confusion. Before, it sounded as at least CRAM-MD5 could be implemented with MD5 encoded password stoarge. I suppose if LDAP could store passwords in CRAM-MD5 format (whatever that is) then this goal would be achievable. Reading slapd.conf(5), it seems LDAP can only store {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. It's probably in the RFC, and CRAM-MD5 is missing from the list. How sad. -- Eduard