[Dovecot] dovecot+LDAP/AD encoding issue
Hello everybody,
i have a problem with dovecot+Active Directory as Authentication-Service. I am not able to use special characters (äöüß (german umlaut)) within a password. Normally I would suggest that the ldap-query is done in UTF-8 but as I debugged the auth-process, I have seen that the password is ISO-8859-1 encoded. The "original" query (from roundcube for example) is UTF-8 encoded (I dumped the POST-Query). So far I wasn't able to find my error by myself or by searching the web. Maybe someone of you can give me a hint :-)
Thanks and greetings from Germany, Helge
dovecot --version 2.0.16
D-AS01:/etc/dovecot # grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext uris = ldap://10.37.5.90 dn = CN=ldap-d-as01,CN=Users,DC=tfh-bochum,DC=de dnpass = xxxx auth_bind = yes ldap_version = 3 base = ou=Benutzer, ou=Lehre, dc=tfh-bochum, dc=de user_attrs = =uid=10000,=gid=10000,=home=/srv/mail/%Ld/%Ln user_filter = mail=%u pass_attrs = =uid=10000,=gid=10000,=home=/srv/mail/%Ld/%Ln pass_filter = (&(mail=%u)(!(extensionAttribute3=*)))
dovecot -n # 2.0.16: /etc/dovecot/dovecot.conf # OS: Linux 2.6.37.6-0.11-default x86_64 openSUSE 11.4 (x86_64) auth_debug = yes auth_mechanisms = plain login auth_username_translation = %Lu auth_verbose = yes mail_location = maildir:~/Maildir mail_max_userip_connections = 1000 mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { inbox = yes list = yes location = prefix = INBOX/ separator = / subscriptions = yes type = private } namespace { list = yes location = maildir:%%h/Maildir:INDEX=%h/Maildir/shared/%%u:CONTROL=%h/Maildir/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_shared_dict = file:/srv/mail/shared-mailboxes quota = maildir:Quota quota_rule = *:storage=1G sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_max_redirects = 10 } protocols = imap pop3 sieve lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0770 user = root } } service imap-login { process_min_avail = 4 service_count = 0 } service managesieve-login { inet_listener sieve { address = * port = 4190 } inet_listener sieve_deprecated { address = * port = 2000 } process_min_avail = 2 service_count = 0 } ssl_ca = </etc/ssl/certs/tfh_dfn_dtag_cacert.pem ssl_cert = </etc/ssl/certs/imap.stud.tfh-bochum.de-20110530-cert-302177588.pem ssl_key = </etc/ssl/private/imap.stud.tfh-bochum.de-20110530.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = quota } protocol imap { mail_plugins = quota acl imap_acl imap_quota } protocol pop3 { mail_plugins = quota }
Helge Wiethoff Medienzentrum Telefon: +49 (234) 968 8717 Fax: +49 (234) 968 3453 E-Mail: Wiethoff@tfh-bochum.de
Technische Fachhochschule Georg Agricola für Rohstoff, Energie und Umwelt zu Bochum Staatlich anerkannte Fachhochschule der DMT-Gesellschaft für Lehre und Bildung mbH Herner Straße 45 44787 Bochum http://www.tfh-bochum.de
Träger: DMT-Gesellschaft für Lehre und Bildung mbH Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum Handelsregister: B 4052
Geschäftsführung: Prof. Dr. Jürgen Kretschmann (Vorsitzender) Manfred Freitag
Wiethoff, Helge wrote:
Hello everybody,
i have a problem with dovecot+Active Directory as Authentication-Service. I am not able to use special characters (äöüß (german umlaut)) within a password. Normally I would suggest that the ldap-query is done in UTF-8 but as I debugged the auth-process, I have seen that the password is ISO-8859-1 encoded. The "original" query (from roundcube for example) is UTF-8 encoded (I dumped the POST-Query). So far I wasn't able to find my error by myself or by searching the web. Maybe someone of you can give me a hint :-)
Thanks and greetings from Germany, Helge
Hello Helge,
In order to make it work with LDAP, the password transmitted over the IMAP connection needs to be encoded with the same character set as the password used to generate the hash.
IMAP does not specify how the mail client should encode the password during the login process. So some older clients use Latin1 and some newer use UTF-8.
Probably you are interested in reading the discussion from 2008: http://www.dovecot.org/list/dovecot/2008-November/035263.html
Possibly you could reencode your passwords with some IMAP proxy like nginx and the mail and mail_auth modules and detect german umlauts, but such a setup will quickly get complex.
I think, a simple and robust solution would be to limit the allowed characters for user passwords in your password management system to 7-bit ASCII characters (only) and reset passwords of all users having any login problems.
Greetings, Daniel
Hello Daniel,
Daniel Parthey wrote:
Probably you are interested in reading the discussion from 2008: http://www.dovecot.org/list/dovecot/2008-November/035263.html
I think, a simple and robust solution would be to limit the allowed characters for user passwords in your password management system to 7-bit ASCII characters (only) and reset passwords of all users having any login problems.
Thanks for the link! I think I understood the major problem. But there is one point I couldn’t find out: From the dovecot auth-log I traced a password (Täst1234) with Umlaut:
D-AS01:/var/log # grep st1234\) mail | cut -c 127-134 | hexdump -C 00000000 54 e4 73 74 31 32 33 34 0a |T.st1234.| 00000009
As you can see this is ISO-8859-1: e4 --> ä But the first incoming String from the client was UTF-8 encoded!?
[Tue Aug 07 10:56:37 2012] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-TRANSIENT): _pass=T%C3%A4st1234
Anyway... I guess I have to force our users to 7-bit Characters :-(
Greetings, Helge
Helge Wiethoff Medienzentrum Telefon: +49 (234) 968 8717 Fax: +49 (234) 968 3453 E-Mail: Wiethoff@tfh-bochum.de
Technische Fachhochschule Georg Agricola für Rohstoff, Energie und Umwelt zu Bochum Staatlich anerkannte Fachhochschule der DMT-Gesellschaft für Lehre und Bildung mbH Herner Straße 45 44787 Bochum http://www.tfh-bochum.de
Träger: DMT-Gesellschaft für Lehre und Bildung mbH Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum Handelsregister: B 4052
Geschäftsführung: Prof. Dr. Jürgen Kretschmann (Vorsitzender) Manfred Freitag
On 2012-08-08, at 7.56, "Wiethoff, Helge" <Wiethoff@tfh-bochum.de> wrote:
As you can see this is ISO-8859-1: e4 --> ä But the first incoming String from the client was UTF-8 encoded!?
[Tue Aug 07 10:56:37 2012] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-TRANSIENT): _pass=T%C3%A4st1234
Anyway... I guess I have to force our users to 7-bit Characters :-(
You mentioned Roundcube earlier. I notice this in Roundcube's default main.inc.php:
// Password charset. // Use it if your authentication backend doesn't support UTF-8. // Defaults to ISO-8859-1 for backward compatibility $rcmail_config['password_charset'] = 'ISO-8859-1';
...so changing that to UTF-8 may fix the problem so far as Roundcube is concerned.
But you may still face a problem with other clients. We just discussed Thunderbird's behaviour a few days back...
--
Matthew Powell matthew@atom.net
Hi Matthew,
You mentioned Roundcube earlier. I notice this in Roundcube's default main.inc.php:
// Password charset. // Use it if your authentication backend doesn't support UTF-8. // Defaults to ISO-8859-1 for backward compatibility $rcmail_config['password_charset'] = 'ISO-8859-1';
...so changing that to UTF-8 may fix the problem so far as Roundcube is concerned.
But you may still face a problem with other clients. We just discussed Thunderbird's behaviour a few days back...
D'oh... This fixed it. I haven't taken this into account yet because of the dumpio log, which told me this is already an UTF-8 encoded string...
[Tue Aug 07 10:56:37 2012] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-TRANSIENT): _pass=T%C3%A4st1234
Now the authentication works within Roundcube... Thanks for the hint.
Greetings, Helge
Helge Wiethoff Medienzentrum Telefon: +49 (234) 968 8717 Fax: +49 (234) 968 3453 E-Mail: Wiethoff@tfh-bochum.de
Technische Fachhochschule Georg Agricola für Rohstoff, Energie und Umwelt zu Bochum Staatlich anerkannte Fachhochschule der DMT-Gesellschaft für Lehre und Bildung mbH Herner Straße 45 44787 Bochum http://www.tfh-bochum.de
Träger: DMT-Gesellschaft für Lehre und Bildung mbH Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum Handelsregister: B 4052
Geschäftsführung: Prof. Dr. Jürgen Kretschmann (Vorsitzender) Manfred Freitag
participants (3)
-
Daniel Parthey
-
Matthew Powell
-
Wiethoff, Helge