Leon Kyneur
2016-Jun-14 15:04 UTC
Double variable expansion / multiple password mechanisms
Hi Karsten,> You should be able to add multiple userPassword attributes to your directory: > > userPassword: {CRAM-MD5}xxx > userPassword: {DIGEST-MD5}xxxx > userPassword: {SCRAM-SHA-1}xxxx > userPassword: {NTLM}xxxx > > > KarstenDid try this, didn't end end well. Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported Jun 14 12:59:43 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jun 14 12:59:43 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x8699e) [0x7f0233cd499e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86a7e) [0x7f0233cd4a7e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0233c78b3d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7f022f4f020b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7f022f4eee2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f0233ce821c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7f0233ce967f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7f0233ce82a5] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f0233ce8458] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f0233c7f013] -> dovecot/auth [0 wait, 1 passdb, 0 userdb](main+0x39c) [0x7f023418a46c] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f0233264b15] -> dovecot/auth [0 wait, 1 passdb, 0 userdb](+0xf661) [0x7f023418a661] Jun 14 12:59:43 auth: Fatal: master: service(auth): child 48169 killed with signal 6 (core dumps disabled) Jun 14 12:59:43 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=48164, EOF)
Karsten Heiken
2016-Jun-14 15:15 UTC
Double variable expansion / multiple password mechanisms
Hi Leon,>> You should be able to add multiple userPassword attributes to your directory: >> >> userPassword: {CRAM-MD5}xxx >> userPassword: {DIGEST-MD5}xxxx >> userPassword: {SCRAM-SHA-1}xxxx >> userPassword: {NTLM}xxxx > > Did try this, didn't end end well. > > Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported > [...]Huh. You're right, I'm sorry. A few days ago I tried just that - adding a second userPassword to my LDAP and got this result:> dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda'Turns out there is still only one password tried, not all of them - which was working as intended on this occasion. But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup. If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP. http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds This of course only works for passdb lookups.
Leon Kyneur
2016-Jun-14 15:26 UTC
Double variable expansion / multiple password mechanisms
On 14/06/16 23:15, Karsten Heiken wrote:> Hi Leon, > >>> You should be able to add multiple userPassword attributes to your directory: >>> >>> userPassword: {CRAM-MD5}xxx >>> userPassword: {DIGEST-MD5}xxxx >>> userPassword: {SCRAM-SHA-1}xxxx >>> userPassword: {NTLM}xxxx >> Did try this, didn't end end well. >> >> Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported >> [...] > Huh. You're right, I'm sorry. > > A few days ago I tried just that - adding a second userPassword to my LDAP and got this result: >> dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda' > Turns out there is still only one password tried, not all of them - which was working as intended on this occasion. > > But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup. > If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP. > > http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds > > This of course only works for passdb lookups.Auth bind wont work here as if they auth with encrypted password it can't bind to ldap with it. and get a lot of these: auth: Info: ldap(leonkyneur,192.168.99.3,<7Rr1lj41tJzLhgGR>): Requested DIGEST-MD5 scheme, but we have a NULL password