[Dovecot] Re: ldap SMD5 vs. CRYPT

Joshua Goodall joshua at roughtrade.net
Sat Oct 9 11:58:08 EEST 2004


On Fri, Oct 08, 2004 at 03:35:36AM +0200, Adam Pordzik wrote:
> So, might it be better to abandon ldap entirely, to advantage of pam?
> Or, maintaining a separate attribute "dovecotUserPasswort" or something
> like that, with an algorithm dovedot can handle.

If you use PAM, you *have* to use a plaintext authentication mechanism.
This means for security you have to do IMAP over SSL, which may be a hassle for
some environments (especially those without a certificate from a commonly
trusted CA).  I like to make DIGEST-MD5 and CRAM-MD5 available, and they
support the use of non-plaintext secrets.

Secondly, the code that handles all the hashes is not LDAP-specific.
Many of Dovecot's other password databases backends can store a {STRING}data
format secret.

Thirdly, Dovecot 1.0-test handles all of the OpenLDAP forms for
userPassword, so why bother inventing a non-standard schema?


> > {MD5} (note: Dovecot's {MD5} differs from LDAP's {MD5})
> 
> Does that means that dovecot can't authenticate users with an OpenLDAP 
> MD5 hash?

Not at all. It just means that the code works around the difference.

> >You can fix the MD5 issue and gain support for {SMD5} with my patch
> >at http://www.roughtrade.net/dovecot/dovecot-ldap-md5-quirk-0.99.10.6.diff
> >although I haven't tested this recently. Let me know if it works for you.
> 
> Aha. But patching sources isn't my thing. After doing such, more things
> will be broken as before... :-(

Well, I wrote that patch and I've used it, and a variant is now in 1.0-test.

J

-- 
Joshua Goodall                           "as modern as tomorrow afternoon"
joshua at roughtrade.net                                       - FW109



More information about the dovecot mailing list