[Dovecot] dovecot and ldap passwords.
Hallo. First of all I'm sorry for my bad english. I have a question about how dovecot use passwords. I have all my mail accounts in a ldap database. The user password are stored in form: {crypt}mypasswd. In dovecot-ldap.conf I have default_pass_scheme = CRYPT. All is working fine. The problem in the crypt scheme is that I can't have passwords more than 8 characters long. So I've tried to change the type of the ldap passwords in SSHA or SMD5, but in this way the users can't authenticate yourselfs. Dovecot doesn't understand SSHA or SMD5?
On Fri, Nov 17, 2006 at 11:10:44AM +0100, Mauro Sanna wrote:
The problem in the crypt scheme is that I can't have passwords more than 8 characters long. So I've tried to change the type of the ldap passwords in SSHA or SMD5, but in this way the users can't authenticate yourselfs. Dovecot doesn't understand SSHA or SMD5?
As far as I understand, this is a good candidate to use auth binds. If you do this, dovecot even need not know ANYTHING about passwords in LDAP, since the pwd verification is done by trying to BIND to the DN of the user with the given password, so the only component need to know about password and password scheme is the LDAP server itself. You have may have got no privilege to see userpassword attribute ...
However you'll got problems if you use some kind of advanced authentication with IMAP/POP3 which does not send clear text passwords which are sutiable to use as password to bind to LDAP ?
--
- Gábor
On Fri, 2006-11-17 at 11:10 +0100, Mauro Sanna wrote:
So I've tried to change the type of the ldap passwords in SSHA or SMD5, but in this way the users can't authenticate yourselfs. Dovecot doesn't understand SSHA or SMD5?
It does, unless you're using v0.99.x version.
Set auth_debug_passwords=yes and check the logs what it says when you try to authenticate.
Il giorno dom, 19/11/2006 alle 00.07 +0200, Timo Sirainen ha scritto:
On Fri, 2006-11-17 at 11:10 +0100, Mauro Sanna wrote:
So I've tried to change the type of the ldap passwords in SSHA or SMD5, but in this way the users can't authenticate yourselfs. Dovecot doesn't understand SSHA or SMD5?
It does, unless you're using v0.99.x version.
Yes, I'm using 0.99.x version as it's distributed with debian stable.
Set auth_debug_passwords=yes and check the logs what it says when you try to authenticate.
Now I've changed default_pass_scheme from CRYPT to PLAIN in dovecot-ldap.conf. It seems that all work, I can use either CRYPT scheme in my userPassword ldap attribute or SSHA scheme or SMD5 scheme and so on without problems. Is that ok?
participants (3)
-
Gábor Lénárt
-
Mauro Sanna
-
Timo Sirainen