[Dovecot] LDAP bind questions
Stuart Henderson
stu at spacehopper.org
Wed Jul 9 00:01:12 EEST 2003
> And my next concern would become a non-issue if the above was
> supported, but is there a way to set the dnpass equal to a SSHA
> password? When I try setting it like this:
> dnpass = {SSHA}VhxqnmwCLVQj7g3rQV+g9F3XnaJ6bRXR
No, you need to supply the actual password. This password is
(presumably) already stored hashed in your LDAP database. Your LDAP
server will hash what it receives as the password and compare that with
the password stored for that DN. Setting it like you have shown just
causes Dovecot to use it as the literal password {SSHA}Vhxqnm.....
> I'd prefer not to have the password for the authentication admin user
> stored in plain text in the conf file.
There's no way to store an encrypted password in a conf file and have a
plaintext version of that password used to authenticate (without e.g.
manually typing a password each time that config file is read).
The DN used with the current Dovecot LDAP code obviously only needs
read access to mail users' details, you don't have to give it any kind
of write access, and you don't have to give it the ability to read
passwords for non-mail-users (i.e. passwords for DNs with write access
to the directory). You can also additionally restrict access to
userPassword by IP addresses, too. So, if you aren't already doing
this, at least there are a few ways you can reduce the exposure with
the current code.
Of course, if someone has sufficient access to the machine running
Dovecot that they can read the config file, they will already have some
degree of access to user's passwords...
More information about the dovecot
mailing list