[Dovecot] LDAP bind questions

Stuart Henderson stu at spacehopper.org
Tue Jul 8 23:01:12 EEST 2003


> And my next concern would become a non-issue if the above was
> supported, but is there a way to set the dnpass equal to a SSHA
> password?  When I try setting it like this:
> dnpass = {SSHA}VhxqnmwCLVQj7g3rQV+g9F3XnaJ6bRXR

No, you need to supply the actual password. This password is 
(presumably) already stored hashed in your LDAP database. Your LDAP 
server will hash what it receives as the password and compare that with 
the password stored for that DN. Setting it like you have shown just 
causes Dovecot to use it as the literal password {SSHA}Vhxqnm.....

> I'd prefer not to have the password for the authentication admin user
> stored in plain text in the conf file.

There's no way to store an encrypted password in a conf file and have a 
plaintext version of that password used to authenticate (without e.g. 
manually typing a password each time that config file is read).

The DN used with the current Dovecot LDAP code obviously only needs 
read access to mail users' details, you don't have to give it any kind 
of write access, and you don't have to give it the ability to read 
passwords for non-mail-users (i.e. passwords for DNs with write access 
to the directory). You can also additionally restrict access to 
userPassword by IP addresses, too. So, if you aren't already doing 
this, at least there are a few ways you can reduce the exposure with 
the current code.

Of course, if someone has sufficient access to the machine running 
Dovecot that they can read the config file, they will already have some 
degree of access to user's passwords...



More information about the dovecot mailing list