How to enable LDAP authentication for schema SSHA384
While using LDAP-based authentication, I have come across the message
auth: Error: [...] Unknown scheme SSHA384
Based on the docs at [1] I use the dovecot.org packages provided for Ubuntu 20.04 LTS which, as you can see, are not yet documented in the HTML page, put are available via [2]. Specifically, I used
apt-get install dovecot-ldap dovecot-sqlite
to install Dovecot. What else is needed beyond the two listed packages in order to enable support for SSHA384 password hashes in Dovecot? Am I perhaps missing some required configuration parameter? Your help is appreciated.
-Ralph
[1] https://doc.dovecot.org/installation_guide/dovecot_community_repositories/ub... [2] http://repo.dovecot.org/ce-2.3-latest/ubuntu/focal/
Am 07.11.2021 um 14:35 schrieb Ralph Seichter:
While using LDAP-based authentication, I have come across the message
auth: Error: [...] Unknown scheme SSHA384
Based on the docs at [1] I use the dovecot.org packages provided for Ubuntu 20.04 LTS which, as you can see, are not yet documented in the HTML page, put are available via [2]. Specifically, I used
apt-get install dovecot-ldap dovecot-sqlite
to install Dovecot. What else is needed beyond the two listed packages in order to enable support for SSHA384 password hashes in Dovecot? Am I perhaps missing some required configuration parameter? Your help is appreciated.
-Ralph
[1] https://doc.dovecot.org/installation_guide/dovecot_community_repositories/ub... [2] http://repo.dovecot.org/ce-2.3-latest/ubuntu/focal/
Don't know about Ubuntu specifics, but
https://doc.dovecot.org/configuration_manual/authentication/password_schemes...
and
https://www.openldap.org/faq/data/cache/1467.html
might help.
Alexander
- Alexander Dalloz:
Don't know about Ubuntu specifics [...]
Thank you for the pointers. Am I right to interpret the Dovecot docs as stating that SSHA384 is not supported by the official packages, and that my only recourse might be building from the source code and adding some external code in the process?
I do not remember encountering SSHA384 before, but the existing LDAP records use this schema for about half of a huge user base. Telling all affected users to change their passwords is not an option.
-Ralph
On 2021-11-07, Ralph Seichter <ralph@ml.seichter.de> wrote:
- Alexander Dalloz:
Don't know about Ubuntu specifics [...]
Thank you for the pointers. Am I right to interpret the Dovecot docs as stating that SSHA384 is not supported by the official packages, and that my only recourse might be building from the source code and adding some external code in the process?
I do not remember encountering SSHA384 before, but the existing LDAP records use this schema for about half of a huge user base. Telling all affected users to change their passwords is not an option.
Assuming that SSHA384 is supported by your LDAP server, you could perhaps use "auth_bind = yes" to have Dovecot attempt a bind with the user-supplied password, rather than having Dovecot retrieve the hashed password and validate it itself.
- Stuart Henderson:
you could perhaps use "auth_bind = yes" to have Dovecot attempt a bind with the user-supplied password [...]
Thanks, that sounds like an approach worth investigating to me. Current access control settings for the LDAP server do not permit this method of binding, but I might be able to have the settings changed.
-Ralph
participants (3)
-
Alexander Dalloz
-
Ralph Seichter
-
Stuart Henderson