[Dovecot] ldap and digest-md5 problem
Hi,
I'm using dovecot-1.0.0 on gentoo box and I have problem with authentication using digest-md5 and passwords stored as plain text in ldap database, when I use cram-md5 it works, while digest-md5 give this error (squirrelmail login):
May 5 16:03:32 srv dovecot: auth(default): client in: AUTH 1
DIGEST-MD5 service=IMAP secured lip=127.0.0.1 rip=127.0.0.1
May 5 16:03:32 srv dovecot: auth(default): client out: CONT 1
[password hash]
May 5 16:03:32 srv dovecot: auth(default): client in: CONT<hidden>
May 5 16:03:32 srv dovecot: auth(default): ldap(user@domain.com,127.0.0.1):
pass search: base=ou=domain.com,cn=Users,dc=domain,dc=com scope=subtree
filter=(&(objectClass=posixAccount)(uid=user)) fields=userPassword
May 5 16:03:32 srv dovecot: auth(default): ldap(user@domain.com,127.0.0.1):
result: userPassword(password)=<hidden>
May 5 16:03:32 srv dovecot: auth(default): digest-md5
(user@domain.com,127.0.0.1): password mismatch
May 5 16:03:32 srv dovecot: auth(default): client out: FAIL 1
user=user@domain.com
May 5 16:03:32 srv dovecot: imap-login: Aborted login:
user=user@domain.com, method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1,
secured
It seems that client and dovecot hashes calculated for DIGEST-MD5 are different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login using digest-md5 so maybe dovecot does not working correctly? Passwords where created using phpldapadmin and "clear" password type, cram-md5 logins are ok. I can't find any info on ldap and digest-md5 incompatibility in dovecot wiki, can anyone give my a hint?
my dovecot-ldap.conf: uris = ldaps://127.0.0.1 dn = uid=dovecot,cn=Daemons,dc=domain,dc=com dnpass = secret sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = ou=%d,cn=Users,dc=domain,dc=com deref = never scope = subtree pass_attrs = userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n)) default_pass_scheme = PLAIN
my dovecot.conf: protocols = imap imaps managesieve shutdown_clients = yes syslog_facility = mail ssl_cert_file = /etc/ssl/cert ssl_key_file = /etc/ssl/key verbose_ssl = no login_process_per_connection = yes login_processes_count = 2 login_max_processes_count = 10 login_user = dovecot login_dir = /var/run/dovecot/login login_chroot = yes mail_location = maildir:/var/mail/%d/%n mail_extra_groups = postfix mail_full_filesystem_access = no mail_debug = no verbose_proctitle = yes first_valid_uid = 2000 last_valid_uid = 2000 first_valid_gid = 2000 last_valid_uid = 2000 maildir_copy_with_hardlinks = yes disable_plaintext_auth = yes
protocol imap { imap_client_workarounds = outlook-idle }
protocol lda { postmaster_address = postmaster@domain.com hostname = domain.com mail_plugins = cmusieve }
auth_default_realm = pcserwis.net auth_username_format = %Lu auth_verbose = yes auth_debug = yes auth_debug_passwords = no
auth default { mechanisms = plain login cram-md5 digest-md5
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb static { args = uid=2000 gid=2000 home=/var/mail/%d/%n }
socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = vmail group = postfix } master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail } } }
protocol managesieve { listen = *:2000 login_executable = /usr/libexec/dovecot/managesieve-login mail_executable = /usr/libexec/dovecot/managesieve }
-- Łukasz Mierzwa
Saturday 05 of May 2007 16:13:47 Łukasz Mierzwa napisał(a):
Hi,
I'm using dovecot-1.0.0 on gentoo box and I have problem with authentication using digest-md5 and passwords stored as plain text in ldap database, when I use cram-md5 it works, while digest-md5 give this error (squirrelmail login):
May 5 16:03:32 srv dovecot: auth(default): client in: AUTH 1 DIGEST-MD5 service=IMAP secured lip=127.0.0.1 rip=127.0.0.1 May 5 16:03:32 srv dovecot: auth(default): client out: CONT 1 [password hash] May 5 16:03:32 srv dovecot: auth(default): client in: CONT<hidden> May 5 16:03:32 srv dovecot: auth(default): ldap(user@domain.com,127.0.0.1): pass search: base=ou=domain.com,cn=Users,dc=domain,dc=com scope=subtree filter=(&(objectClass=posixAccount)(uid=user)) fields=userPassword May 5 16:03:32 srv dovecot: auth(default): ldap(user@domain.com,127.0.0.1): result: userPassword(password)=<hidden> May 5 16:03:32 srv dovecot: auth(default): digest-md5 (user@domain.com,127.0.0.1): password mismatch May 5 16:03:32 srv dovecot: auth(default): client out: FAIL 1 user=user@domain.com May 5 16:03:32 srv dovecot: imap-login: Aborted login: user=user@domain.com, method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, secured
It seems that client and dovecot hashes calculated for DIGEST-MD5 are different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login using digest-md5 so maybe dovecot does not working correctly? Passwords where created using phpldapadmin and "clear" password type, cram-md5 logins are ok. I can't find any info on ldap and digest-md5 incompatibility in dovecot wiki, can anyone give my a hint?
my dovecot-ldap.conf: uris = ldaps://127.0.0.1 dn = uid=dovecot,cn=Daemons,dc=domain,dc=com dnpass = secret sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = ou=%d,cn=Users,dc=domain,dc=com deref = never scope = subtree pass_attrs = userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n)) default_pass_scheme = PLAIN
my dovecot.conf: protocols = imap imaps managesieve shutdown_clients = yes syslog_facility = mail ssl_cert_file = /etc/ssl/cert ssl_key_file = /etc/ssl/key verbose_ssl = no login_process_per_connection = yes login_processes_count = 2 login_max_processes_count = 10 login_user = dovecot login_dir = /var/run/dovecot/login login_chroot = yes mail_location = maildir:/var/mail/%d/%n mail_extra_groups = postfix mail_full_filesystem_access = no mail_debug = no verbose_proctitle = yes first_valid_uid = 2000 last_valid_uid = 2000 first_valid_gid = 2000 last_valid_uid = 2000 maildir_copy_with_hardlinks = yes disable_plaintext_auth = yes
protocol imap { imap_client_workarounds = outlook-idle }
protocol lda { postmaster_address = postmaster@domain.com hostname = domain.com mail_plugins = cmusieve }
auth_default_realm = pcserwis.net auth_username_format = %Lu auth_verbose = yes auth_debug = yes auth_debug_passwords = no
auth default { mechanisms = plain login cram-md5 digest-md5
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb static { args = uid=2000 gid=2000 home=/var/mail/%d/%n }
socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = vmail group = postfix } master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail } } }
protocol managesieve { listen = *:2000 login_executable = /usr/libexec/dovecot/managesieve-login mail_executable = /usr/libexec/dovecot/managesieve }
Nobody tried DIGEST-MD5 ?
-- Łukasz Mierzwa
On Sat, 2007-05-05 at 16:13 +0200, Łukasz Mierzwa wrote:
May 5 16:03:32 srv dovecot: auth(default): digest-md5 (user@domain.com,127.0.0.1): password mismatch .. It seems that client and dovecot hashes calculated for DIGEST-MD5 are different, I tested squirrelmail 1.4.9a, kmail 3.5.6 both can't login using digest-md5 so maybe dovecot does not working correctly? Passwords where created using phpldapadmin and "clear" password type, cram-md5 logins are ok. I can't find any info on ldap and digest-md5 incompatibility in dovecot wiki, can anyone give my a hint?
I'm guessing they're using a different username in the hash calculation. DIGEST-MD5 hashes are a bit special because they contain the username also in them.
auth_default_realm = pcserwis.net auth_username_format = %Lu
If you're not logging in as lowercased user@pcserwis.net that's the problem. Or any other mismatch in the username as well.
participants (2)
-
Timo Sirainen
-
Łukasz Mierzwa