Leon Kyneur
2016-Jun-14 13:34 UTC
Double variable expansion / multiple password mechanisms
Hi,
Trying to solve the problem of supporting multiple auth mechanisms +
proxy and really don't want to store user passwords in plain test and
fine to do master user to backend.
I had the crazy thought I could do something like the following:
For each user Store supported password schemes as LDAP attributes:
userPasswordCRAM-MD5: {CRAM-MD5}xxx
userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx
userPasswordSCRAM: {SCRAM-SHA-1}xxxx
userPasswordNTLM: {NTLM}xxxx
then:
=password=%{ldap:userPassword%m} <- Though this doesn't work.. just
wondering if it could possibly work or if I should give up on this crazy
idea :)
Thanks
Leon
Karsten Heiken
2016-Jun-14 14:40 UTC
Double variable expansion / multiple password mechanisms
Hi Leon,> I had the crazy thought I could do something like the following: > > For each user Store supported password schemes as LDAP attributes: > userPasswordCRAM-MD5: {CRAM-MD5}xxx > userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx > userPasswordSCRAM: {SCRAM-SHA-1}xxxx > userPasswordNTLM: {NTLM}xxxxYou should be able to add multiple userPassword attributes to your directory: userPassword: {CRAM-MD5}xxx userPassword: {DIGEST-MD5}xxxx userPassword: {SCRAM-SHA-1}xxxx userPassword: {NTLM}xxxx Karsten
Leon Kyneur
2016-Jun-14 15:04 UTC
Double variable expansion / multiple password mechanisms
Hi Karsten,> You should be able to add multiple userPassword attributes to your directory: > > userPassword: {CRAM-MD5}xxx > userPassword: {DIGEST-MD5}xxxx > userPassword: {SCRAM-SHA-1}xxxx > userPassword: {NTLM}xxxx > > > KarstenDid try this, didn't end end well. Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported Jun 14 12:59:43 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jun 14 12:59:43 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x8699e) [0x7f0233cd499e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86a7e) [0x7f0233cd4a7e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0233c78b3d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7f022f4f020b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7f022f4eee2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f0233ce821c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7f0233ce967f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7f0233ce82a5] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f0233ce8458] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f0233c7f013] -> dovecot/auth [0 wait, 1 passdb, 0 userdb](main+0x39c) [0x7f023418a46c] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f0233264b15] -> dovecot/auth [0 wait, 1 passdb, 0 userdb](+0xf661) [0x7f023418a661] Jun 14 12:59:43 auth: Fatal: master: service(auth): child 48169 killed with signal 6 (core dumps disabled) Jun 14 12:59:43 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=48164, EOF)
Steffen Kaiser
2016-Jun-17 10:21 UTC
Double variable expansion / multiple password mechanisms
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 14 Jun 2016, Leon Kyneur wrote:> For each user Store supported password schemes as LDAP attributes: > userPasswordCRAM-MD5: {CRAM-MD5}xxx > userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx > userPasswordSCRAM: {SCRAM-SHA-1}xxxx > userPasswordNTLM: {NTLM}xxxx > > then: > =password=%{ldap:userPassword%m} <- Though this doesn't work.. just wondering > if it could possibly work or if I should give up on this crazy idea :)did you've tried: userPassword%m=password but I assume that these scripts are pulled in before %m is known. You could try to add one *auth* entry per mechanism and per person: mechanism=CRAM-MD5,uid=user,... and user mechanism=%m in the filter - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV2PPEHz1H7kL/d9rAQKxpwf+OOBqCUMT8pMuh6k9g/st2jojEigJIPue deo2QDfhYnAf5qz7IlCT0DjE3JuCktMAsZX2jtDe2Y0/wHgclKg+graS70aitMjV 5uttJM9llUuVtd1NFV3Qk/w/RqBtrksWozfmkcAlJVrtgQjnOqwHpgP08ZFfbujP 60caUCqYFRMppP4+usrrQML/Bkg4/RMHzpt4qH2h2XlJNdk/cfYLyrZbXfeS5t0/ PWs3MugDV91v9M+6kh11FALAN/xhZHZPaCSadh7EYwyWC6cjZWYcz2dqqwnl4PWZ i0BdYHmAFy9cjiiPuQwGt8p3tg7LUcRtaqLG56aqy/lzgiCka9fFfw==1PlI -----END PGP SIGNATURE-----