Double variable expansion / multiple password mechanisms
Hi,
Trying to solve the problem of supporting multiple auth mechanisms + proxy and really don't want to store user passwords in plain test and fine to do master user to backend.
I had the crazy thought I could do something like the following:
For each user Store supported password schemes as LDAP attributes: userPasswordCRAM-MD5: {CRAM-MD5}xxx userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx userPasswordSCRAM: {SCRAM-SHA-1}xxxx userPasswordNTLM: {NTLM}xxxx
then: =password=%{ldap:userPassword%m} <- Though this doesn't work.. just wondering if it could possibly work or if I should give up on this crazy idea :)
Thanks
Leon
Hi Leon,
I had the crazy thought I could do something like the following:
For each user Store supported password schemes as LDAP attributes: userPasswordCRAM-MD5: {CRAM-MD5}xxx userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx userPasswordSCRAM: {SCRAM-SHA-1}xxxx userPasswordNTLM: {NTLM}xxxx
You should be able to add multiple userPassword attributes to your directory:
userPassword: {CRAM-MD5}xxx userPassword: {DIGEST-MD5}xxxx userPassword: {SCRAM-SHA-1}xxxx userPassword: {NTLM}xxxx
Karsten
Hi Karsten,
You should be able to add multiple userPassword attributes to your directory:
userPassword: {CRAM-MD5}xxx userPassword: {DIGEST-MD5}xxxx userPassword: {SCRAM-SHA-1}xxxx userPassword: {NTLM}xxxx
Karsten Did try this, didn't end end well.
Jun 14 12:59:43 auth: Error: ldap(leonkyneur@itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported Jun 14 12:59:43 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jun 14 12:59:43 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x8699e) [0x7f0233cd499e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86a7e) [0x7f0233cd4a7e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0233c78b3d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7f022f4f020b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7f022f4eee2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f0233ce821c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7f0233ce967f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7f0233ce82a5] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f0233ce8458] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f0233c7f013] -> dovecot/auth 0 wait, 1 passdb, 0 userdb [0x7f023418a46c] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f0233264b15] -> dovecot/auth 0 wait, 1 passdb, 0 userdb [0x7f023418a661] Jun 14 12:59:43 auth: Fatal: master: service(auth): child 48169 killed with signal 6 (core dumps disabled) Jun 14 12:59:43 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=48164, EOF)
Hi Leon,
You should be able to add multiple userPassword attributes to your directory:
userPassword: {CRAM-MD5}xxx userPassword: {DIGEST-MD5}xxxx userPassword: {SCRAM-SHA-1}xxxx userPassword: {NTLM}xxxx
Did try this, didn't end end well.
Jun 14 12:59:43 auth: Error: ldap(leonkyneur@itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported [...]
Huh. You're right, I'm sorry.
A few days ago I tried just that - adding a second userPassword to my LDAP and got this result:
dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda'
Turns out there is still only one password tried, not all of them - which was working as intended on this occasion.
But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup. If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP.
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
This of course only works for passdb lookups.
On 14/06/16 23:15, Karsten Heiken wrote:
Hi Leon,
You should be able to add multiple userPassword attributes to your directory:
userPassword: {CRAM-MD5}xxx userPassword: {DIGEST-MD5}xxxx userPassword: {SCRAM-SHA-1}xxxx userPassword: {NTLM}xxxx Did try this, didn't end end well.
Jun 14 12:59:43 auth: Error: ldap(leonkyneur@itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported [...] Huh. You're right, I'm sorry.
A few days ago I tried just that - adding a second userPassword to my LDAP and got this result:
dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda' Turns out there is still only one password tried, not all of them - which was working as intended on this occasion.
But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup. If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP.
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
This of course only works for passdb lookups.
Auth bind wont work here as if they auth with encrypted password it can't bind to ldap with it. and get a lot of these:
auth: Info: ldap(leonkyneur,192.168.99.3,<7Rr1lj41tJzLhgGR>): Requested DIGEST-MD5 scheme, but we have a NULL password
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 14 Jun 2016, Leon Kyneur wrote:
For each user Store supported password schemes as LDAP attributes: userPasswordCRAM-MD5: {CRAM-MD5}xxx userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx userPasswordSCRAM: {SCRAM-SHA-1}xxxx userPasswordNTLM: {NTLM}xxxx
then: =password=%{ldap:userPassword%m} <- Though this doesn't work.. just wondering if it could possibly work or if I should give up on this crazy idea :)
did you've tried:
userPassword%m=password
but I assume that these scripts are pulled in before %m is known.
You could try to add one *auth* entry per mechanism and per person:
mechanism=CRAM-MD5,uid=user,...
and user mechanism=%m in the filter
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBV2PPEHz1H7kL/d9rAQKxpwf+OOBqCUMT8pMuh6k9g/st2jojEigJIPue deo2QDfhYnAf5qz7IlCT0DjE3JuCktMAsZX2jtDe2Y0/wHgclKg+graS70aitMjV 5uttJM9llUuVtd1NFV3Qk/w/RqBtrksWozfmkcAlJVrtgQjnOqwHpgP08ZFfbujP 60caUCqYFRMppP4+usrrQML/Bkg4/RMHzpt4qH2h2XlJNdk/cfYLyrZbXfeS5t0/ PWs3MugDV91v9M+6kh11FALAN/xhZHZPaCSadh7EYwyWC6cjZWYcz2dqqwnl4PWZ i0BdYHmAFy9cjiiPuQwGt8p3tg7LUcRtaqLG56aqy/lzgiCka9fFfw== =1PlI -----END PGP SIGNATURE-----
participants (3)
-
Karsten Heiken
-
Leon Kyneur
-
Steffen Kaiser