Hello List,
The only passdb block in /pfx/etc/dovecot/dovecot.conf is:
passdb ldap { args = /pfx/etc/dovecot/dovecot-ldap.conf }
In /pfx/etc/dovecot/dovecot-ldap.conf:
auth_bind = no dn = cn=mymgr,dc=host,dc=tld dnpass = ******** default_pass_scheme = LDAP-MD5
In /pfx/etc/openldap/slapd.conf:
password-hash {MD5}
If I try:
$ /pfx/bin/ldapsearch <...>
| grep '^userPassword'
| sed -e 's;.*:: \(.*\)$;\1;'
| mimencode -u
...I get the correct password (MD5 hashed.)
According to wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups this should work, and indeed when starting dovecot it does not complain about:
'CRAM-MD5 mechanism can't be supported with given passdbs'
Instead it starts right up, but when a thunderbird client connects and tries authenticating with CRAM-MD5 it fails.
In the wiki page 'PasswordLookups' it mentions:
Supports non-plaintext authentication mechanisms (if returning plaintext/properly hashed passwords).
I've already verified that this works correctly with plaintext (CLEARTEXT in slapd.conf), but I really want to store the passwords in LDAP using some hash. Why doesn't LDAP-MD5 work as advertised?
What did the author mean by 'properly hashed passwords'? Thanks.
-- Eduard