Double variable expansion / multiple password mechanisms
Karsten Heiken
heiken at luis.uni-hannover.de
Tue Jun 14 15:15:32 UTC 2016
Hi Leon,
>> You should be able to add multiple userPassword attributes to your directory:
>>
>> userPassword: {CRAM-MD5}xxx
>> userPassword: {DIGEST-MD5}xxxx
>> userPassword: {SCRAM-SHA-1}xxxx
>> userPassword: {NTLM}xxxx
>
> Did try this, didn't end end well.
>
> Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported
> [...]
Huh. You're right, I'm sorry.
A few days ago I tried just that - adding a second userPassword to my LDAP and got this result:
> dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda'
Turns out there is still only one password tried, not all of them - which was working as intended on this occasion.
But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup.
If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP.
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
This of course only works for passdb lookups.
More information about the dovecot
mailing list