[Dovecot] bug? ldap auth CRAM-MD5

André Höpner a.hoepner at ibased.de
Wed Apr 25 20:07:35 EEST 2007 

Hello list,

our users are authenticated against ldap-server.
anything works fine...

dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured

but now we want to use secure passwords and not
only plain over ssl. so we configured dovecot to use
cram-md5 and configured the ldap-server with CRAM-MD5
passwords. as client we used thunderbird 2.0 and a
webfrontend called roundcube.
that does not work, because the server gives...

dovecot: auth(default): ldap(xxx,127.0.0.1): Password mismatch

then we tried to use DIGEST-MD5. we changed the ldap
password to the created one with dovecotpw.
but this doesnt work too. thunderbird requests CRAM-MD5
and not DIGEST-MD5.

so the log says:
dovecot: auth(default): password(xxx,127.0.0.1): Requested CRAM-MD5 scheme,
but we have only DIGEST-MD5
imap-login: Aborted login: user=<xxx>, method=CRAM-MD5

after that we changed the password back to CRAM-MD5, but
we mad the failure not to delete the DIGEST-MD5 value.
so the users had 2 passwords set...

{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
{DIGEST-MD5}358aefa044c08e6c19711c8117714fb0

password is "test" in both cases.
on the next try we start thunderbird it works. i dont know
why and the log of dovecot says...

auth(default): ldap(xxx,127.0.0.1): Multiple password values not supported
imap-login: Login: user=<xxx>, method=CRAM-MD5, rip=127.0.0.1,
lip=127.0.0.1, secured

user was logged in using CRAM-MD5. it's not nice but it works.
anyone have an idea why? because of apache-module to auth against
ldap and apache doesnt support nor CRAM-MD5 or DIGEST-MD5 we
have set the password third time using MD5.

So every user has three same passwords with different encryptions.
Not nice - but it works. But what can we do to change this. I dont
like to set passwords three times.


our configuration:

# /etc/dovecot/dovecot.conf
ssl_cert_file: /etc/ssl/ssl.pem
ssl_key_file: /etc/ssl/ssl.key
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/imap-login
mail_extra_groups: mail
mail_location: mbox:/var/mail/dovecot/%n:INDEX=/var/mail/dovecot/indexes/%n
mail_plugins: quota imap_quota
auth default:
  mechanisms: plain login cram-md5 digest-md5
  verbose: yes
  passdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
  userdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
plugin:
  quota: maildir:storage=1024

-------------

# /etc/dovecot/dovecot-ldap.conf
hosts = 127.0.0.1:389
dn = cn=dovecot,dc=xxx,dc=com
dnpass = dovecot

sasl_bind = no
sasl_mech = DIGEST-MD5
tls = no
auth_bind = no

ldap_version = 3
base = ou=People,dc=xxx,dc=com
scope = subtree

user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))

default_pass_scheme = DIGEST-MD5

-------------

best regards
Andre

More information about the dovecot mailing list