I don't think I understand. Right now the problem is the password retrieved from LDAP cannot be hashed to compare against what the user sent because it is encrypted. I have to perform my AES decryption before it can be hashed and compared.
On Tue, Oct 9, 2012 at 1:03 PM, btb btb@bitrate.net wrote:
On 2012.10.09 14.41, James Devine wrote:
We have an LDAP server that contains AES encrypted passwords. So far I've been able to use this by adding a passdb module that encrypts the user's password prior to ldap comparison. Now I am looking at supporting client-side encrypted passwords. To do this I need to decrypt the password returned by LDAP. Is there a way to insert a module to do this decryption between ldap returning and the auth mechanism?
that would be unwise, generally speaking. as a rule of thumb, in terms of security fundamentals, only the rootdn [or equiv] should be able to read the values in an ldap entry's password attribute. certainly the service account used by dovecot should not.
in the context of ldap, authentication should be accomplished by binding as the user, not by retrieving attribute values and performing string comparisons. among other things, this decouples the two components and allows applications [e.g. dovecot] to be unconcerned with whatever password hashing scheme the directory server might be using.
-ben