[Dovecot] Re: ldap SMD5 vs. CRYPT

Adam Pordzik adresseverbummelt at gmx.de
Fri Oct 8 04:35:36 EEST 2004

Joshua Goodall wrote:
> On Tue, Oct 05, 2004 at 03:14:58PM +0200, Adam Pordzik wrote:
> > Hello,
> >
> > am I right, that dovecot can't cope with ldap so authentification
> > is handled by ldap itself? And, for that I have to use {CRYPT} and
> > cannot use other mechanisms as {SMD5}

> Dovecot doesn't support handing off authentication to LDAP, unless
> you use PAM (which eliminates the possibility of CRAM-MD5 or DIGEST-MD5
> authentication).

Thank you. I've now also read Timo's posts on that.

> Dovecot supports the RFC2307 userPassword LDAP attribute and through
> that the following schemes:
Anyway, I've recompiled OpenLDAP with crypt support, since in addition
it also offers a more simple way to migrate existing posix acocunts.

Although I appreciate your work I doubt that this is the right way:
Everytime a new encryption comes to any ldap-server, dovecot has to
follow. I'm really, really no Unix/C programer, so I can't appraise
what makes more work: To (re-)implement a new hash algorithm or to
support auth. ldap binds.

So, might it be better to abandon ldap entirely, to advantage of pam?
Or, maintaining a separate attribute "dovecotUserPasswort" or something
like that, with an algorithm dovedot can handle.

 > {MD5} (note: Dovecot's {MD5} differs from LDAP's {MD5})

Does that means that dovecot can't authenticate users with an OpenLDAP 
MD5 hash?

> You can fix the MD5 issue and gain support for {SMD5} with my patch
> at http://www.roughtrade.net/dovecot/dovecot-ldap-md5-quirk-
> although I haven't tested this recently. Let me know if it works for you.

Aha. But patching sources isn't my thing. After doing such, more things
will be broken as before... :-(



More information about the dovecot mailing list