Can I convert the password hashes with the older Dovecot?
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes shows how it can potentially be done with Dovecot 2.1, but when I try it with Dovecot 1.2.15, I'm not seeing a way to make it work. Any suggestions?
This is an old Debian 6 system that's overdue for an upgrade. In the test environment upgrading OpenLDAP to Debian 8 I discovered most of our users passwords probably won't work. The hashes appear to be a old Unix DES based hash, ie base64 decoded ldif shows something like the following: userPassword:: {crypt}Aipcuzoh3eiVE
Passwords stored in the SSHA hash seem to work fine. If given the password, a shell script could create the hashes with slappasswd and/or a SHA512 hash (using doveadm or mkpasswd) for use on Debian 8.
# cat /usr/local/bin/dovecot-environment.sh #!/bin/sh set > /tmp/dovecot-environment exec /usr/lib/dovecot/imap "$@"
I can show the /tmp/dovecot-environment if you like, but it's not showing the password as a variable...
This system is using Debian's Dovecot package 1.2.15-7+deb6u1. Dovecot 2.1.7-7~bpo60+1 is available as a backport, but I would prefer not to upgrade Dovecot on the production system if I don't need to, or have some other reason such as some features for using IMAP for the migration. https://packages.debian.org/search?keywords=dovecot-common
Thanks, Chuck
# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-686-bigmem i686 Debian 6.0.10 log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/lfrr/ca/thishost.crt ssl_key_file: /etc/lfrr/ca/thishost.key disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login verbose_proctitle: yes mail_privileged_group: mail mail_location: mbox:%h:INBOX=/var/mail/%Lu mbox_write_locks: fcntl dotlock mail_executable(default): /usr/local/bin/dovecot-environment.sh mail_executable(imap): /usr/local/bin/dovecot-environment.sh mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugins(default): quota imap_quota mail_plugins(imap): quota imap_quota mail_plugins(pop3): mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_reuse_xuidl(default): no pop3_reuse_xuidl(imap): no pop3_reuse_xuidl(pop3): yes auth default: mechanisms: plain login debug_passwords: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf passdb: driver: pam args: session=yes dovecot userdb: driver: passwd args: /etc/passwd userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf plugin: quota: dirsize quota_rule: *:storage=204800
I should note, I think the default_pass_scheme = CRYPT doesn't do anything with auth_bind = yes.
# grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf hosts = 127.0.0.1 sasl_bind = no auth_bind = yes auth_bind_userdn = uid=%u,ou=People,dc=ccil,dc=org ldap_version = 3 base = ou=People,dc=ccil,dc=org pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = CRYPT