After I found out that {CRYPT} doesn't support passwords longer than 8
characters, I decided to switch over to MD5 for user passwords in my LDAP
database. However, while I have no problem with Postfix + SASL, Dovecot fails
to authenticate.
Relevant bits from /etc/dovecot-ldap.conf:
user_attrs = mailAddress,,,,,
# The search string is identical to what's found in /etc/saslauthd.conf:
user_filter = (&(|(uid=%u)(mailAddress=%u))(status=active))
pass_attrs = mailAddress,userPassword
pass_filter = (&(|(uid=%u)(mailAddress=%u))(status=active))
default_pass_scheme = PLAIN-MD5
When I try to connect using either KMail or SquirrelMail (which worked just
fine before I switched schemes), the following error appears
in /var/log/syslog:
ldap(user at mydomain.tld): password mismatch
But when I try 'testsaslauthd -u user at mydomain.tld -p longpassword'
it
authenticates just fine.
I have the line 'password-hash {MD5}' in /etc/ldap/slapd.conf, and
I
used 'slappasswd -h {MD5}' to create the MD5 versions of the passwords.
Dovecot is v. 0.99.11. If I can't figure out how to get it to work with MD5,
I guess I'll have to go back to CRYPT, but it would be nice to have longer
passwords...
:Peter
Peter Clark schrieb:> After I found out that {CRYPT} doesn't support passwords longer than 8 > characters, I decided to switch over to MD5 for user passwords in my LDAP > database. However, while I have no problem with Postfix + SASL, Dovecot fails > to authenticate.I think you just found out, that 3DES (?) only supports password with not more that 8 characters. Try: password-hash {CRYPT} password-crypt-salt-format $1$%.8s in your slapd.conf for MD5 hashes. After restarting slapd all new created and modified password will math that pattern. Does anyone has the salt format for Blowfish ready to hand? A --
On 2004-12-31 21:10:46 +0300, Peter Clark wrote:> Dovecot is v. 0.99.11. If I can't figure out how to get it to work with MD5, > I guess I'll have to go back to CRYPT, but it would be nice to have longer > passwords...maybe try 0.99.13rc it has some ldap/md5 related changes. darix -- irssi - the client of the smart and beautiful people http://www.irssi.de/
On Friday 31 December 2004 21:59, Adam Pordzik wrote:> password-hash {CRYPT} > password-crypt-salt-format $1$%.8s > > in your slapd.conf for MD5 hashes. After restarting slapd all new > created and modified password will math that pattern.This workes, although I'm having problems with the change_ldappass module for Squirrelmail, but that's off-topic. Upgrading to .99.13 isn't an option, since I'm using Debian Testing (waiting for it to become Stable) and don't want to mess around with things that are going to be outside of the security updates. Thanks for your help, everyone, and happy new year! :Peter
On Fri, 2004-12-31 at 19:59 +0100, Adam Pordzik wrote:> > Peter Clark schrieb: > > After I found out that {CRYPT} doesn't support passwords longer than 8 > > characters, I decided to switch over to MD5 for user passwords in my LDAP > > database. However, while I have no problem with Postfix + SASL, Dovecot fails > > to authenticate. > > I think you just found out, that 3DES (?) only supports password with > not more that 8 characters....although that limitation is not inherent. In fact, 3des is normally an encryption algorithm, but encryption algorithms can easily be adapted for use as hashing algorithms. Same for des. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20050103/c0a212b1/attachment-0001.bin>