[Dovecot] PLAIN-MD5 passwords?
After I found out that {CRYPT} doesn't support passwords longer than 8
characters, I decided to switch over to MD5 for user passwords in my LDAP database. However, while I have no problem with Postfix + SASL, Dovecot fails to authenticate.
Relevant bits from /etc/dovecot-ldap.conf:
user_attrs = mailAddress,,,,, # The search string is identical to what's found in /etc/saslauthd.conf: user_filter = (&(|(uid=%u)(mailAddress=%u))(status=active)) pass_attrs = mailAddress,userPassword pass_filter = (&(|(uid=%u)(mailAddress=%u))(status=active)) default_pass_scheme = PLAIN-MD5
When I try to connect using either KMail or SquirrelMail (which worked just fine before I switched schemes), the following error appears in /var/log/syslog: ldap(user@mydomain.tld): password mismatch
But when I try 'testsaslauthd -u user@mydomain.tld -p longpassword' it authenticates just fine. I have the line 'password-hash {MD5}' in /etc/ldap/slapd.conf, and I used 'slappasswd -h {MD5}' to create the MD5 versions of the passwords. Dovecot is v. 0.99.11. If I can't figure out how to get it to work with MD5, I guess I'll have to go back to CRYPT, but it would be nice to have longer passwords... :Peter
Peter Clark schrieb:
After I found out that {CRYPT} doesn't support passwords longer than 8
characters, I decided to switch over to MD5 for user passwords in my LDAP database. However, while I have no problem with Postfix + SASL, Dovecot fails to authenticate.
I think you just found out, that 3DES (?) only supports password with not more that 8 characters.
Try:
password-hash {CRYPT} password-crypt-salt-format $1$%.8s
in your slapd.conf for MD5 hashes. After restarting slapd all new created and modified password will math that pattern.
Does anyone has the salt format for Blowfish ready to hand?
A
--
password-hash {CRYPT} password-crypt-salt-format $1$%.8s
in your slapd.conf for MD5 hashes. After restarting slapd all new created and modified password will math that pattern. This workes, although I'm having problems with the change_ldappass module for Squirrelmail, but that's off-topic. Upgrading to .99.13 isn't an option, since I'm using Debian Testing (waiting for it to become Stable) and don't want to mess around with things
On Friday 31 December 2004 21:59, Adam Pordzik wrote: that are going to be outside of the security updates. Thanks for your help, everyone, and happy new year! :Peter
On Fri, 2004-12-31 at 19:59 +0100, Adam Pordzik wrote:
Peter Clark schrieb:
After I found out that {CRYPT} doesn't support passwords longer than 8
characters, I decided to switch over to MD5 for user passwords in my LDAP database. However, while I have no problem with Postfix + SASL, Dovecot fails to authenticate.
I think you just found out, that 3DES (?) only supports password with not more that 8 characters.
...although that limitation is not inherent. In fact, 3des is normally an encryption algorithm, but encryption algorithms can easily be adapted for use as hashing algorithms.
Same for des.
On 2004-12-31 21:10:46 +0300, Peter Clark wrote:
Dovecot is v. 0.99.11. If I can't figure out how to get it to work with MD5, I guess I'll have to go back to CRYPT, but it would be nice to have longer passwords...
maybe try 0.99.13rc it has some ldap/md5 related changes.
darix
-- irssi - the client of the smart and beautiful people
http://www.irssi.de/
On Dec 31, 2004, at 2:00 PM, Marcus Rueckert wrote:
Dovecot is v. 0.99.11. If I can't figure out how to get it to work with MD5, I guess I'll have to go back to CRYPT, but it would be nice to have longer passwords...
maybe try 0.99.13rc it has some ldap/md5 related changes.
There was a related discussion 2 days ago on this mailing list. The subject was "bug in 99.13-rc2 in ldap md5 patch." It might also help to try changing the default_pass_scheme from PLAIN-MD5 to LDAP-MD5 as mentioned in Section 3 of the authentication docs: http://wiki.dovecot.org/Authentication
Pete
participants (5)
-
Adam Pordzik
-
Dan Stromberg
-
Marcus Rueckert
-
Peter Clark
-
Peter Lacey