Yep, that's the way it works. In effect the LDAP server can use any schema for storing its passwords, since you can then authenticate onto the LDAP server itself, using Dovecot as a kind of proxy.
In effect LDAP server can store different user passwords in different schemas as well (I'd recommend going with the default SSHA - salted SHA
- at least) - which can be useful when you're making a transition from, say, some SQL-based backend onto LDAP (been there, done that, although with Samba).
The authentication mechanism lets you specify in which way you want to transfer the password over the network (and, of course, nothing beats using STARTTLS/SSL in terms of encryption security - so you really should rely on that one when it comes down to securing the communications channel - note that weak passwords can't be really protected in this way :) ).
Дана Thu, 17 May 2012 22:10:43 +0100 Tim Smith tim@titan21.co.uk написа:
Interesting - just so I have this clear in my own head. The password scheme is the way the password is encrypted but the authentication mechanism is whether the password is sent encrypted as well?
On 17/05/12 22:00, Timo Sirainen wrote:
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA' You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
-- Branko Majic Jabber: branko@majic.rs Please use only Free formats when sending attachments to me.
Бранко Мајић Џабер: branko@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.