[Dovecot] bug in 99.13-rc2 in ldap md5 patch
hi, it takes me another hour do debug it again, although i already report it for both joshua and timo. the original patch for openldap's md5 crypt has a small bug. in passdb-ldap.c the schema is already PLAIN-MD5 since that was set in the other part of the original patch in password-scheme.c. do anybody use dovecot with ldap and md5 password? i don't think so:-( this patch would be useful to apply before the final 0.99.13. anyway in the current 1.0 series the PLAIN-MD5 and LDAP-MD5 schema are different. at least plain_md5_verify and plain_md5_generate differ from ldap_md5_verify and ldap_md5_generate. why? -- Levente "Si vis pacem para bellum!" --- dovecot-0.99.13/src/auth/passdb-ldap.c.lfarkas 2004-12-22 17:06:25.000000000 +0100 +++ dovecot-0.99.13/src/auth/passdb-ldap.c 2004-12-22 17:06:56.000000000 +0100 @@ -109,12 +109,11 @@ } /* Special case for OpenLDAP's MD5 type */ - if (strcasecmp(scheme, "MD5") == 0) { + if (strcasecmp(scheme, "PLAIN-MD5") == 0) { buf = buffer_create_static(data_stack_pool, 16); if (base64_decode(password, strlen(password), NULL, buf) == 1 && buffer_get_used_size(buf) == 16) { password = binary_to_hex(buffer_get_data(buf, NULL), 16); - scheme = "PLAIN-MD5"; } }
On Wed, 2004-12-22 at 18:36 +0100, Farkas Levente wrote:
it takes me another hour do debug it again, although i already report it for both joshua and timo. the original patch for openldap's md5 crypt has a small bug. in passdb-ldap.c the schema is already PLAIN-MD5 since that was set in the other part of the original patch in password-scheme.c. do anybody use dovecot with ldap and md5 password?
Hmm. That's a bit kludgy fix since then {PLAIN-MD5} would work differently with LDAP. Maybe I'll just remove the special case from password-scheme.c instead?
anyway in the current 1.0 series the PLAIN-MD5 and LDAP-MD5 schema are different. at least plain_md5_verify and plain_md5_generate differ from ldap_md5_verify and ldap_md5_generate. why?
hex vs. base64.
Timo Sirainen wrote:
On Wed, 2004-12-22 at 18:36 +0100, Farkas Levente wrote:
it takes me another hour do debug it again, although i already report it for both joshua and timo. the original patch for openldap's md5 crypt has a small bug. in passdb-ldap.c the schema is already PLAIN-MD5 since that was set in the other part of the original patch in password-scheme.c. do anybody use dovecot with ldap and md5 password?
Hmm. That's a bit kludgy fix since then {PLAIN-MD5} would work differently with LDAP. Maybe I'll just remove the special case from password-scheme.c instead?
no this way it's correct. ldap's md5 is equal with plain-md5. in the scheme you should recognize it and use the plain-md5 algorithm. anyway it works for me with openldap and md5;-)
-- Levente "Si vis pacem para bellum!"
On Wed, 2004-12-29 at 11:40 +0100, Farkas Levente wrote:
Hmm. That's a bit kludgy fix since then {PLAIN-MD5} would work differently with LDAP. Maybe I'll just remove the special case from password-scheme.c instead?
no this way it's correct. ldap's md5 is equal with plain-md5. in the scheme you should recognize it and use the plain-md5 algorithm. anyway it works for me with openldap and md5;-)
Um. LDAP's MD5 = base64-encoded, Dovecot's PLAIN-MD5 = hex-encoded I think. So with your patch it would be impossible to use hex-encoded MD5 passwords in LDAP because it decodes {PLAIN-MD5} in base64.
I think the LDAP kludges should affect only that if {MD5} password doesn't begin with $1$, it would be assumed to be base64-encoded MD5 password.
Timo Sirainen wrote:
On Wed, 2004-12-29 at 11:40 +0100, Farkas Levente wrote:
Hmm. That's a bit kludgy fix since then {PLAIN-MD5} would work differently with LDAP. Maybe I'll just remove the special case from password-scheme.c instead?
no this way it's correct. ldap's md5 is equal with plain-md5. in the scheme you should recognize it and use the plain-md5 algorithm. anyway it works for me with openldap and md5;-)
Um. LDAP's MD5 = base64-encoded, Dovecot's PLAIN-MD5 = hex-encoded I think. So with your patch it would be impossible to use hex-encoded MD5 passwords in LDAP because it decodes {PLAIN-MD5} in base64.
I think the LDAP kludges should affect only that if {MD5} password doesn't begin with $1$, it would be assumed to be base64-encoded MD5 password.
may be. i just patch the original patch to work. but as i debug dovecot it seems the auth process first reach passdb-ldap.c's line 111 as scheme == PLAIN-MD5 (where the password is converted) and just after that password-scheme.c's line 190... so the schema already plain-md5 in passdb-ldap.c and without my patch it's not working:-(
-- Levente "Si vis pacem para bellum!"
participants (2)
-
Farkas Levente
-
Timo Sirainen