Markus Rosjat <rosjat@ghweb.de> wrote:
I desperatly trying to store a BLF-CRYPT password hash in an LDAP userPassword Attribute and get dovecot to authenticate against it.
You (normally) can't, because the userPassword attribute is kind of "magic" for the LDAP-Server.
OpenLDAP supports several internal schemes ({SSHA} the most used) and the wildcard scheme {CRYPT} (no, this does not mean the weak old crypt()-style password "obfuscation") which gets passed through to the glibc and supports every password encryption scheme your glibc supports.
See crypt(3) and the NOTES section.
To configure OpenLDAP to use SHA512 with 5000 rounds (default) and a 128bit salt, put this into your slapd.conf:
,---- | password-hash {CRYPT} | password-crypt-salt-format "$6$%.16s" `----
Any password passed via EXOP to this server will then be hashed in the configured way.
Or you can create the hash yourself, provided that you keep the format as outlined in cyrpt(3).
Or, as a really last resort, you can allow dovecot to read the attribute from LDAP (needs different ACLs and degrades the LDAP server to a simple database) and to the authentication itself, then you don't need to care if the LDAP server can understand the format. But by doing so the LDAP server can no longer authenticate the user itself.
Grüße, Sven.
-- Sigmentation fault. Core dumped.