BUG: nopassword doesn't work with CRAM-MD5
Arkadiusz Miśkiewicz
arekm at maven.pl
Thu Nov 17 08:44:30 UTC 2016
On Thursday 17 of November 2016, Aki Tuomi wrote:
> On 17.11.2016 10:30, Arkadiusz Miśkiewicz wrote:
> > On Thursday 17 of November 2016, Aki Tuomi wrote:
> >> On 17.11.2016 10:14, Arkadiusz Miśkiewicz wrote:
> >>> Hello.
> >>>
> >>> dovecot 2.2.26.0
> >>>
> >>> When testing nopassword extra field
> >>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5
> >>> dovecot doesn't allow any password (while it should) and returns
> >>>
> >>> " Authentication failed"
> >>>
> >>> while in logs:
> >>>
> >>> Nov 17 08:22:34 auth-worker(1551): Info:
> >>> sql(pepe,127.0.0.1,<Y8amDXpBptV/AAAB>): Requested CRAM-MD5 scheme, but
> >>> we have a NULL password
> >>>
> >>> NULL is there because our sql query returns empty password just like
> >>> wiki says "nopassword: you want to allow all passwords, use an empty
> >>> password and this field. "
> >>>
> >>>
> >>> If password is returned in sql query then it fails, too:
> >>>
> >>> Nov 17 09:00:49 auth-worker(2206): Error:
> >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is
> >>> non- empty
> >>>
> >>> So looks to be a bug.
> >>
> >> It's not a bug. CRAM-MD5 does in fact require *some* password to work,
> >
> > Provide fake/random one for nopassword internally.
> >
> >> you can either store it with doveadm pw -S CRAM-MD5 or as plain text
> >> password.
> >
> > Then I get
> >
> >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is
> >>> non- empty
> >
> > So that doesn't help
> >
> > btw. doveadm pw -S is not documented, so no idea what it does
> >
> >> Aki
>
> sorry, typo.
>
> Ment doveadm pw -s CRAM-MD5
>
> How do you perceive user login works with CRAM-MD5 if you do not provide
> *any* password for the user?
I can provide it and I want to do that but nopassword doesn't let me.
> Some passdb backend must provide a password
> for the user, if you want to load extra attributes from alternative
> backend, use noauthenticate instead of nopassword, but make sure the
> last passdb can authenticate the user.
Ok, I'll try noauthenticate.
>
> Aki
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
More information about the dovecot
mailing list