On Fri, Oct 08, 2004 at 03:35:36AM +0200, Adam Pordzik wrote:
So, might it be better to abandon ldap entirely, to advantage of pam? Or, maintaining a separate attribute "dovecotUserPasswort" or something like that, with an algorithm dovedot can handle.
If you use PAM, you *have* to use a plaintext authentication mechanism. This means for security you have to do IMAP over SSL, which may be a hassle for some environments (especially those without a certificate from a commonly trusted CA). I like to make DIGEST-MD5 and CRAM-MD5 available, and they support the use of non-plaintext secrets.
Secondly, the code that handles all the hashes is not LDAP-specific. Many of Dovecot's other password databases backends can store a {STRING}data format secret.
Thirdly, Dovecot 1.0-test handles all of the OpenLDAP forms for userPassword, so why bother inventing a non-standard schema?
{MD5} (note: Dovecot's {MD5} differs from LDAP's {MD5})
Does that means that dovecot can't authenticate users with an OpenLDAP MD5 hash?
Not at all. It just means that the code works around the difference.
You can fix the MD5 issue and gain support for {SMD5} with my patch at http://www.roughtrade.net/dovecot/dovecot-ldap-md5-quirk-0.99.10.6.diff although I haven't tested this recently. Let me know if it works for you.
Aha. But patching sources isn't my thing. After doing such, more things will be broken as before... :-(
Well, I wrote that patch and I've used it, and a variant is now in 1.0-test.
J
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109