dovecot 2.2.28 password auth with openldap
Hi there,
I desperatly trying to store a BLF-CRYPT password hash in an LDAP userPassword Attribute and get dovecot to authenticate against it.
I use a thunderbird as client and send the password plain with starttls.
what worked so far but is kinda problematic for my smtp authenticaton was to store the has with the prefix {CRYPT} or {BLF-CRYPT}.
Is there a way to get dovecot to authenticate without storing the prefix in the LDAP attribute ?
regards
-- Markus Rosjat fon: +49 351 8107223 mail: rosjat@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Am 06.08.2017 um 15:24 schrieb Markus Rosjat:
Hi there,
I desperatly trying to store a BLF-CRYPT password hash in an LDAP userPassword Attribute and get dovecot to authenticate against it.
I use a thunderbird as client and send the password plain with starttls.
what worked so far but is kinda problematic for my smtp authenticaton was to store the has with the prefix {CRYPT} or {BLF-CRYPT}.
Is there a way to get dovecot to authenticate without storing the prefix in the LDAP attribute ?
Set default_pass_scheme, but don't use CRYPT as it is weak.
regards
Alexander
Markus Rosjat <rosjat@ghweb.de> wrote:
I desperatly trying to store a BLF-CRYPT password hash in an LDAP userPassword Attribute and get dovecot to authenticate against it.
You (normally) can't, because the userPassword attribute is kind of "magic" for the LDAP-Server.
OpenLDAP supports several internal schemes ({SSHA} the most used) and the wildcard scheme {CRYPT} (no, this does not mean the weak old crypt()-style password "obfuscation") which gets passed through to the glibc and supports every password encryption scheme your glibc supports.
See crypt(3) and the NOTES section.
To configure OpenLDAP to use SHA512 with 5000 rounds (default) and a 128bit salt, put this into your slapd.conf:
,---- | password-hash {CRYPT} | password-crypt-salt-format "$6$%.16s" `----
Any password passed via EXOP to this server will then be hashed in the configured way.
Or you can create the hash yourself, provided that you keep the format as outlined in cyrpt(3).
Or, as a really last resort, you can allow dovecot to read the attribute from LDAP (needs different ACLs and degrades the LDAP server to a simple database) and to the authentication itself, then you don't need to care if the LDAP server can understand the format. But by doing so the LDAP server can no longer authenticate the user itself.
Grüße, Sven.
-- Sigmentation fault. Core dumped.
participants (3)
-
Alexander Dalloz
-
Markus Rosjat
-
Sven Hartge