I don't think I understand. Right now the problem is the password
retrieved from LDAP cannot be hashed to compare against what the user sent
because it is encrypted. I have to perform my AES decryption before it can
be hashed and compared.
On Tue, Oct 9, 2012 at 1:03 PM, btb <btb at bitrate.net> wrote:
> On 2012.10.09 14.41, James Devine wrote:
>
>> We have an LDAP server that contains AES encrypted passwords. So far
I've
>> been able to use this by adding a passdb module that encrypts the
user's
>> password prior to ldap comparison. Now I am looking at supporting
>> client-side encrypted passwords. To do this I need to decrypt the
>> password
>> returned by LDAP. Is there a way to insert a module to do this
decryption
>> between ldap returning and the auth mechanism?
>>
>> that would be unwise, generally speaking. as a rule of thumb, in
terms
> of security fundamentals, only the rootdn [or equiv] should be able to read
> the values in an ldap entry's password attribute. certainly the
service
> account used by dovecot should not.
>
> in the context of ldap, authentication should be accomplished by binding
> as the user, not by retrieving attribute values and performing string
> comparisons. among other things, this decouples the two components and
> allows applications [e.g. dovecot] to be unconcerned with whatever password
> hashing scheme the directory server might be using.
>
> -ben
>