[Dovecot] Re: ldap SMD5 vs. CRYPT
Joshua Goodall
joshua at roughtrade.net
Sat Oct 9 11:58:08 EEST 2004
On Fri, Oct 08, 2004 at 03:35:36AM +0200, Adam Pordzik wrote:
> So, might it be better to abandon ldap entirely, to advantage of pam?
> Or, maintaining a separate attribute "dovecotUserPasswort" or something
> like that, with an algorithm dovedot can handle.
If you use PAM, you *have* to use a plaintext authentication mechanism.
This means for security you have to do IMAP over SSL, which may be a hassle for
some environments (especially those without a certificate from a commonly
trusted CA). I like to make DIGEST-MD5 and CRAM-MD5 available, and they
support the use of non-plaintext secrets.
Secondly, the code that handles all the hashes is not LDAP-specific.
Many of Dovecot's other password databases backends can store a {STRING}data
format secret.
Thirdly, Dovecot 1.0-test handles all of the OpenLDAP forms for
userPassword, so why bother inventing a non-standard schema?
> > {MD5} (note: Dovecot's {MD5} differs from LDAP's {MD5})
>
> Does that means that dovecot can't authenticate users with an OpenLDAP
> MD5 hash?
Not at all. It just means that the code works around the difference.
> >You can fix the MD5 issue and gain support for {SMD5} with my patch
> >at http://www.roughtrade.net/dovecot/dovecot-ldap-md5-quirk-0.99.10.6.diff
> >although I haven't tested this recently. Let me know if it works for you.
>
> Aha. But patching sources isn't my thing. After doing such, more things
> will be broken as before... :-(
Well, I wrote that patch and I've used it, and a variant is now in 1.0-test.
J
--
Joshua Goodall "as modern as tomorrow afternoon"
joshua at roughtrade.net - FW109
More information about the dovecot
mailing list