[Dovecot] LDAP encryption

James Devine fxmulder at gmail.com
Tue Oct 9 22:16:15 EEST 2012


I don't think I understand.  Right now the problem is the password
retrieved from LDAP cannot be hashed to compare against what the user sent
because it is encrypted.  I have to perform my AES decryption before it can
be hashed and compared.

On Tue, Oct 9, 2012 at 1:03 PM, btb <btb at bitrate.net> wrote:

> On 2012.10.09 14.41, James Devine wrote:
>
>> We have an LDAP server that contains AES encrypted passwords.  So far I've
>> been able to use this by adding a passdb module that encrypts the user's
>> password prior to ldap comparison.  Now I am looking at supporting
>> client-side encrypted passwords.  To do this I need to decrypt the
>> password
>> returned by LDAP.  Is there a way to insert a module to do this decryption
>> between ldap returning and the auth mechanism?
>>
>>  that would be unwise, generally speaking.  as a rule of thumb, in terms
> of security fundamentals, only the rootdn [or equiv] should be able to read
> the values in an ldap entry's password attribute.  certainly the service
> account used by dovecot should not.
>
> in the context of ldap, authentication should be accomplished by binding
> as the user, not by retrieving attribute values and performing string
> comparisons.  among other things, this decouples the two components and
> allows applications [e.g. dovecot] to be unconcerned with whatever password
> hashing scheme the directory server might be using.
>
> -ben
>


More information about the dovecot mailing list