dovecot - May 2007 - ldap and digest-md5 problem

Hi,

I'm using dovecot-1.0.0 on gentoo box and I have problem with authentication
using digest-md5 and passwords stored as plain text in ldap database, when I 
use cram-md5 it works, while digest-md5 give this error (squirrelmail login):

May  5 16:03:32 srv dovecot: auth(default): client in: AUTH     1       
DIGEST-MD5      service=IMAP    secured lip=127.0.0.1   rip=127.0.0.1
May  5 16:03:32 srv dovecot: auth(default): client out: CONT    1       
[password hash]
May  5 16:03:32 srv dovecot: auth(default): client in: CONT<hidden>
May  5 16:03:32 srv dovecot: auth(default): ldap(user at domain.com,127.0.0.1): 
pass search: base=ou=domain.com,cn=Users,dc=domain,dc=com scope=subtree 
filter=(&(objectClass=posixAccount)(uid=user)) fields=userPassword
May  5 16:03:32 srv dovecot: auth(default): ldap(user at domain.com,127.0.0.1): 
result: userPassword(password)=<hidden>
May  5 16:03:32 srv dovecot: auth(default): digest-md5
(user at domain.com,127.0.0.1): password mismatch
May  5 16:03:32 srv dovecot: auth(default): client out: FAIL    1       
user=user at domain.com
May  5 16:03:32 srv dovecot: imap-login: Aborted login: 
user=<user at domain.com>, method=DIGEST-MD5, rip=127.0.0.1,
lip=127.0.0.1,
secured

It seems that client and dovecot hashes calculated for DIGEST-MD5 are 
different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login using 
digest-md5 so maybe dovecot does not working correctly? Passwords where 
created using phpldapadmin and "clear" password type, cram-md5 logins
are ok.
I can't find any info on ldap and digest-md5 incompatibility in dovecot
wiki,
can anyone give my a hint?

my dovecot-ldap.conf:
uris = ldaps://127.0.0.1
dn = uid=dovecot,cn=Daemons,dc=domain,dc=com
dnpass = secret
sasl_bind = no
tls = no
auth_bind = no
ldap_version = 3
base = ou=%d,cn=Users,dc=domain,dc=com
deref = never
scope = subtree
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
default_pass_scheme = PLAIN

my dovecot.conf:
protocols = imap imaps managesieve
shutdown_clients = yes
syslog_facility = mail
ssl_cert_file = /etc/ssl/cert
ssl_key_file = /etc/ssl/key
verbose_ssl = no
login_process_per_connection = yes
login_processes_count = 2
login_max_processes_count = 10
login_user = dovecot
login_dir = /var/run/dovecot/login
login_chroot = yes
mail_location = maildir:/var/mail/%d/%n
mail_extra_groups = postfix
mail_full_filesystem_access = no
mail_debug = no
verbose_proctitle = yes
first_valid_uid = 2000
last_valid_uid = 2000
first_valid_gid = 2000
last_valid_uid = 2000
maildir_copy_with_hardlinks = yes
disable_plaintext_auth = yes

protocol imap {
  imap_client_workarounds = outlook-idle
}

protocol lda {
  postmaster_address = postmaster at domain.com
  hostname = domain.com
  mail_plugins = cmusieve
}

auth_default_realm = pcserwis.net
auth_username_format = %Lu
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = no

auth default {
  mechanisms = plain login cram-md5 digest-md5

  passdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }

  userdb static {
    args = uid=2000 gid=2000 home=/var/mail/%d/%n
  }

  socket listen {
    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = vmail
        group = postfix
    }
    master {
        path = /var/run/dovecot/auth-master
        mode = 0600
        user = vmail
    }
  }
}

protocol managesieve {
    listen = *:2000
    login_executable = /usr/libexec/dovecot/managesieve-login
    mail_executable = /usr/libexec/dovecot/managesieve
}

-- 
?ukasz Mierzwa

Saturday 05 of May 2007 16:13:47 ?ukasz Mierzwa
napisa?(a):
> Hi,
>
> I'm using dovecot-1.0.0 on gentoo box and I have problem with
> authentication using digest-md5 and passwords stored as plain text in ldap
> database, when I use cram-md5 it works, while digest-md5 give this error
> (squirrelmail login):
>
> May  5 16:03:32 srv dovecot: auth(default): client in: AUTH     1
> DIGEST-MD5      service=IMAP    secured lip=127.0.0.1   rip=127.0.0.1
> May  5 16:03:32 srv dovecot: auth(default): client out: CONT    1
> [password hash]
> May  5 16:03:32 srv dovecot: auth(default): client in: CONT<hidden>
> May  5 16:03:32 srv dovecot: auth(default):
> ldap(user at domain.com,127.0.0.1): pass search:
> base=ou=domain.com,cn=Users,dc=domain,dc=com scope=subtree
> filter=(&(objectClass=posixAccount)(uid=user)) fields=userPassword May 
5
> 16:03:32 srv dovecot: auth(default): ldap(user at domain.com,127.0.0.1):
> result: userPassword(password)=<hidden>
> May  5 16:03:32 srv dovecot: auth(default): digest-md5
> (user at domain.com,127.0.0.1): password mismatch
> May  5 16:03:32 srv dovecot: auth(default): client out: FAIL    1
> user=user at domain.com
> May  5 16:03:32 srv dovecot: imap-login: Aborted login:
> user=<user at domain.com>, method=DIGEST-MD5, rip=127.0.0.1,
lip=127.0.0.1,
> secured
>
> It seems that client and dovecot hashes calculated for DIGEST-MD5 are
> different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login
using
> digest-md5 so maybe dovecot does not working correctly? Passwords where
> created using phpldapadmin and "clear" password type, cram-md5
logins are
> ok. I can't find any info on ldap and digest-md5 incompatibility in
dovecot
> wiki, can anyone give my a hint?
>
> my dovecot-ldap.conf:
> uris = ldaps://127.0.0.1
> dn = uid=dovecot,cn=Daemons,dc=domain,dc=com
> dnpass = secret
> sasl_bind = no
> tls = no
> auth_bind = no
> ldap_version = 3
> base = ou=%d,cn=Users,dc=domain,dc=com
> deref = never
> scope = subtree
> pass_attrs = userPassword=password
> pass_filter = (&(objectClass=posixAccount)(uid=%n))
> default_pass_scheme = PLAIN
>
> my dovecot.conf:
> protocols = imap imaps managesieve
> shutdown_clients = yes
> syslog_facility = mail
> ssl_cert_file = /etc/ssl/cert
> ssl_key_file = /etc/ssl/key
> verbose_ssl = no
> login_process_per_connection = yes
> login_processes_count = 2
> login_max_processes_count = 10
> login_user = dovecot
> login_dir = /var/run/dovecot/login
> login_chroot = yes
> mail_location = maildir:/var/mail/%d/%n
> mail_extra_groups = postfix
> mail_full_filesystem_access = no
> mail_debug = no
> verbose_proctitle = yes
> first_valid_uid = 2000
> last_valid_uid = 2000
> first_valid_gid = 2000
> last_valid_uid = 2000
> maildir_copy_with_hardlinks = yes
> disable_plaintext_auth = yes
>
> protocol imap {
>   imap_client_workarounds = outlook-idle
> }
>
> protocol lda {
>   postmaster_address = postmaster at domain.com
>   hostname = domain.com
>   mail_plugins = cmusieve
> }
>
> auth_default_realm = pcserwis.net
> auth_username_format = %Lu
> auth_verbose = yes
> auth_debug = yes
> auth_debug_passwords = no
>
> auth default {
>   mechanisms = plain login cram-md5 digest-md5
>
>   passdb ldap {
>     args = /etc/dovecot/dovecot-ldap.conf
>   }
>
>   userdb static {
>     args = uid=2000 gid=2000 home=/var/mail/%d/%n
>   }
>
>   socket listen {
>     client {
>         path = /var/spool/postfix/private/auth
>         mode = 0660
>         user = vmail
>         group = postfix
>     }
>     master {
>         path = /var/run/dovecot/auth-master
>         mode = 0600
>         user = vmail
>     }
>   }
> }
>
> protocol managesieve {
>     listen = *:2000
>     login_executable = /usr/libexec/dovecot/managesieve-login
>     mail_executable = /usr/libexec/dovecot/managesieve
> }
Nobody tried DIGEST-MD5 ?

-- 
?ukasz Mierzwa

On Sat, 2007-05-05 at 16:13 +0200, ?ukasz Mierzwa wrote:
> May  5 16:03:32 srv dovecot: auth(default): digest-md5
> (user at domain.com,127.0.0.1): password mismatch
..
> It seems that client and dovecot hashes calculated for DIGEST-MD5 are 
> different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login
using
> digest-md5 so maybe dovecot does not working correctly? Passwords where 
> created using phpldapadmin and "clear" password type, cram-md5
logins are ok.
> I can't find any info on ldap and digest-md5 incompatibility in dovecot
wiki,
> can anyone give my a hint?
I'm guessing they're using a different username in the hash calculation.
DIGEST-MD5 hashes are a bit special because they contain the username
also in them.
> auth_default_realm = pcserwis.net
> auth_username_format = %Lu
If you're not logging in as lowercased user at pcserwis.net that's the
problem. Or any other mismatch in the username as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070509/c6a809fe/attachment.bin>