Double variable expansion / multiple password mechanisms

Leon Kyneur leon at f-m.fm
Tue Jun 14 15:26:09 UTC 2016



On 14/06/16 23:15, Karsten Heiken wrote:
> Hi Leon,
>
>>> You should be able to add multiple userPassword attributes to your directory:
>>>
>>> userPassword: {CRAM-MD5}xxx
>>> userPassword: {DIGEST-MD5}xxxx
>>> userPassword: {SCRAM-SHA-1}xxxx
>>> userPassword: {NTLM}xxxx
>> Did try this, didn't end end well.
>>
>> Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported
>> [...]
> Huh. You're right, I'm sorry.
>
> A few days ago I tried just that - adding a second userPassword to my LDAP and got this result:
>> dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda'
> Turns out there is still only one password tried, not all of them - which was working as intended on this occasion.
>
> But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup.
> If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP.
>
> http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
>
> This of course only works for passdb lookups.

Auth bind wont work here as if they auth with encrypted password it 
can't bind to ldap with it. and get a lot of these:

auth: Info: ldap(leonkyneur,192.168.99.3,<7Rr1lj41tJzLhgGR>): Requested 
DIGEST-MD5 scheme, but we have a NULL password



More information about the dovecot mailing list