[Dovecot] ldap and digest-md5 problem

Łukasz Mierzwa prymitive at pcserwis.net
Sat May 5 17:13:47 EEST 2007 

Hi,

I'm using dovecot-1.0.0 on gentoo box and I have problem with authentication 
using digest-md5 and passwords stored as plain text in ldap database, when I 
use cram-md5 it works, while digest-md5 give this error (squirrelmail login):

May  5 16:03:32 srv dovecot: auth(default): client in: AUTH     1       
DIGEST-MD5      service=IMAP    secured lip=127.0.0.1   rip=127.0.0.1
May  5 16:03:32 srv dovecot: auth(default): client out: CONT    1       
[password hash]
May  5 16:03:32 srv dovecot: auth(default): client in: CONT<hidden>
May  5 16:03:32 srv dovecot: auth(default): ldap(user at domain.com,127.0.0.1): 
pass search: base=ou=domain.com,cn=Users,dc=domain,dc=com scope=subtree 
filter=(&(objectClass=posixAccount)(uid=user)) fields=userPassword
May  5 16:03:32 srv dovecot: auth(default): ldap(user at domain.com,127.0.0.1): 
result: userPassword(password)=<hidden>
May  5 16:03:32 srv dovecot: auth(default): digest-md5
(user at domain.com,127.0.0.1): password mismatch
May  5 16:03:32 srv dovecot: auth(default): client out: FAIL    1       
user=user at domain.com
May  5 16:03:32 srv dovecot: imap-login: Aborted login: 
user=<user at domain.com>, method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, 
secured

It seems that client and dovecot hashes calculated for DIGEST-MD5 are 
different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login using 
digest-md5 so maybe dovecot does not working correctly? Passwords where 
created using phpldapadmin and "clear" password type, cram-md5 logins are ok.
I can't find any info on ldap and digest-md5 incompatibility in dovecot wiki, 
can anyone give my a hint?

my dovecot-ldap.conf:
uris = ldaps://127.0.0.1
dn = uid=dovecot,cn=Daemons,dc=domain,dc=com
dnpass = secret
sasl_bind = no
tls = no
auth_bind = no
ldap_version = 3
base = ou=%d,cn=Users,dc=domain,dc=com
deref = never
scope = subtree
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
default_pass_scheme = PLAIN

my dovecot.conf:
protocols = imap imaps managesieve
shutdown_clients = yes
syslog_facility = mail
ssl_cert_file = /etc/ssl/cert
ssl_key_file = /etc/ssl/key
verbose_ssl = no
login_process_per_connection = yes
login_processes_count = 2
login_max_processes_count = 10
login_user = dovecot
login_dir = /var/run/dovecot/login
login_chroot = yes
mail_location = maildir:/var/mail/%d/%n
mail_extra_groups = postfix
mail_full_filesystem_access = no
mail_debug = no
verbose_proctitle = yes
first_valid_uid = 2000
last_valid_uid = 2000
first_valid_gid = 2000
last_valid_uid = 2000
maildir_copy_with_hardlinks = yes
disable_plaintext_auth = yes

protocol imap {
  imap_client_workarounds = outlook-idle
}

protocol lda {
  postmaster_address = postmaster at domain.com
  hostname = domain.com
  mail_plugins = cmusieve
}

auth_default_realm = pcserwis.net
auth_username_format = %Lu
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = no

auth default {
  mechanisms = plain login cram-md5 digest-md5

  passdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }

  userdb static {
    args = uid=2000 gid=2000 home=/var/mail/%d/%n
  }

  socket listen {
    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = vmail
        group = postfix
    }
    master {
        path = /var/run/dovecot/auth-master
        mode = 0600
        user = vmail
    }
  }
}

protocol managesieve {
    listen = *:2000
    login_executable = /usr/libexec/dovecot/managesieve-login
    mail_executable = /usr/libexec/dovecot/managesieve
}

-- 
Łukasz Mierzwa

More information about the dovecot mailing list