[Dovecot] Only method=PLAIN
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ?
#### /etc/dovecot/dovecot-ldap.conf
hosts = ldap-server dn = cn=administrator,o=admin,o=ldap-server dnpass = xxxxx
# # # parametros de prueba default_pass_scheme = SHA # # # fin parametros de prueba
auth_bind = yes
auth_bind_userdn = cn=%u,o=usuarios,o=ldap-server
ldap_version = 3
base = o=usuarios,o=ldap-server scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
#########
/etc/dovecot.conf protocol imap { }
protocol pop3 { }
protocol lda { postmaster_address = manuel@mfernandez.es }
auth default { #mechanisms = plain SHA
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
user = root}
dict { }
plugin { }
If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA'
Thank you
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA'
You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
Interesting - just so I have this clear in my own head. The password scheme is the way the password is encrypted but the authentication mechanism is whether the password is sent encrypted as well?
On 17/05/12 22:00, Timo Sirainen wrote:
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA' You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
-- Tim Smith Tel: 01423 564 078 Mob: 07984 398 299 Email: info@titan21.co.uk Web: www.titan21.co.uk
Yep, that's the way it works. In effect the LDAP server can use any schema for storing its passwords, since you can then authenticate onto the LDAP server itself, using Dovecot as a kind of proxy.
In effect LDAP server can store different user passwords in different schemas as well (I'd recommend going with the default SSHA - salted SHA
- at least) - which can be useful when you're making a transition from, say, some SQL-based backend onto LDAP (been there, done that, although with Samba).
The authentication mechanism lets you specify in which way you want to transfer the password over the network (and, of course, nothing beats using STARTTLS/SSL in terms of encryption security - so you really should rely on that one when it comes down to securing the communications channel - note that weak passwords can't be really protected in this way :) ).
Дана Thu, 17 May 2012 22:10:43 +0100 Tim Smith <tim@titan21.co.uk> написа:
Interesting - just so I have this clear in my own head. The password scheme is the way the password is encrypted but the authentication mechanism is whether the password is sent encrypted as well?
On 17/05/12 22:00, Timo Sirainen wrote:
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA' You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
-- Branko Majic Jabber: branko@majic.rs Please use only Free formats when sending attachments to me.
Бранко Мајић Џабер: branko@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.
On Thu, 2012-05-17 at 22:10 +0100, Tim Smith wrote:
Interesting - just so I have this clear in my own head. The password scheme is the way the password is encrypted
Yes.
but the authentication mechanism is whether the password is sent encrypted as well?
Something like that. It's about the protocol how the authentication is done.
Then, which is the correct configuration ? Are my config files ok ? Openldap stores passwords encrypted with sha algorithm
Sendmail could be the problem? Sendmail works with PAM authentication /etc/pam.d/smtp to work with LDAP too.
When I connect outlook with (Sendmail + Dovecot) password is requested, but for all attempts I get the following error in /var/log/maillog
Using TLS dovecot: pop3-login: Disconnected: user=<manuel.fernandez.panzuela>, method=PLAIN, rip=::ffff:10.237.208.211, lip=::ffff:10.237.193.133, TLS
Without TLS dovecot: pop3-login: Disconnected: user=<manuel.fernandez.panzuela>, method=PLAIN, rip=::ffff:10.237.208.211, lip=::ffff:10.237.193.133
Sendmail.mc
FEATURE(correo_MFP)dnl
LDAPROUTE_DOMAIN(ldapserver.mfernandez.es)dnl
SMTPINI_JA(smtpinicial.mfernandez.es)dnl
OLD_DOMAIN(correo.mfernandez.es)dnl
LOCAL_MAIL_HOST(smtp-incial.mfernandez.es)dnl
define(confLDAP_DEFAULT_SPEC,-h xxx.xxx.xxx.xxx -p 389 -b "o=usuarios,o=mfernandez,c=es" -d "cn=Admin,o=usuarios,o=mfernandez,c=es" -M simple -P /etc/mail/passcorreo')dnl define(ALIAS_FILE', ldap:')dnl FEATURE(virtusertable, LDAP')dnl
define(confAUTH_MECHANISMS', PLAIN')dnl
TRUST_AUTH_MECH(PLAIN')dnl define(SMART_HOST,mail.mfernandez.es')dnl
dnl define(SMART_HOST,localhost')dnl dnl define(ALIAS_FILE', `ldap:-b"" -v rfc822MailMember -k
&(objectClass=nisMailAlias)(cn=%0)')dnl
dnl correo_MFP - Fin de modificaciones necesarias
dnl **************************************************
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwcorreo.mfernandez.es
Thank you so much!
2012/5/17 Timo Sirainen <tss@iki.fi>
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA'
You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
Sendmail configuration isn't relevant with Dovecot. Set auth_debug_passwords=yes to debug why the authentication isn't working.
On Fri, 2012-05-18 at 09:19 +0200, Manuel Fernández Panzuela wrote:
Then, which is the correct configuration ? Are my config files ok ? Openldap stores passwords encrypted with sha algorithm
Sendmail could be the problem? Sendmail works with PAM authentication /etc/pam.d/smtp to work with LDAP too.
When I connect outlook with (Sendmail + Dovecot) password is requested, but for all attempts I get the following error in /var/log/maillog
Using TLS dovecot: pop3-login: Disconnected: user=<manuel.fernandez.panzuela>, method=PLAIN, rip=::ffff:10.237.208.211, lip=::ffff:10.237.193.133, TLS
Without TLS dovecot: pop3-login: Disconnected: user=<manuel.fernandez.panzuela>, method=PLAIN, rip=::ffff:10.237.208.211, lip=::ffff:10.237.193.133
Sendmail.mc FEATURE(correo_MFP)dnl LDAPROUTE_DOMAIN(ldapserver.mfernandez.es)dnl SMTPINI_JA(smtpinicial.mfernandez.es)dnl OLD_DOMAIN(correo.mfernandez.es)dnl LOCAL_MAIL_HOST(smtp-incial.mfernandez.es)dnl define(confLDAP_DEFAULT_SPEC,
-h xxx.xxx.xxx.xxx -p 389 -b "o=usuarios,o=mfernandez,c=es" -d "cn=Admin,o=usuarios,o=mfernandez,c=es" -M simple -P /etc/mail/passcorreo')dnl define(ALIAS_FILE',ldap:')dnl FEATURE(virtusertable,LDAP')dnl define(confAUTH_MECHANISMS',PLAIN')dnl TRUST_AUTH_MECH(PLAIN')dnl define(SMART_HOST,mail.mfernandez.es')dnl dnl define(SMART_HOST,localhost')dnl dnl define(ALIAS_FILE', `ldap:-b"" -v rfc822MailMember -k &(objectClass=nisMailAlias)(cn=%0)')dnl dnl correo_MFP - Fin de modificaciones necesarias dnl ************************************************** MAILER(smtp)dnl MAILER(procmail)dnl Cwcorreo.mfernandez.esThank you so much!
2012/5/17 Timo Sirainen <tss@iki.fi>
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA'
You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
Perfect Timo !!!
I have detected the problem with your help. Thank you so much !! The error was due an error mapping ldap attributes.
King regads
2012/5/19 Timo Sirainen <tss@iki.fi>
Sendmail configuration isn't relevant with Dovecot. Set auth_debug_passwords=yes to debug why the authentication isn't working.
On Fri, 2012-05-18 at 09:19 +0200, Manuel Fernández Panzuela wrote:
Then, which is the correct configuration ? Are my config files ok ? Openldap stores passwords encrypted with sha algorithm
Sendmail could be the problem? Sendmail works with PAM authentication /etc/pam.d/smtp to work with LDAP too.
When I connect outlook with (Sendmail + Dovecot) password is requested, but for all attempts I get the following error in /var/log/maillog
Using TLS dovecot: pop3-login: Disconnected: user=<manuel.fernandez.panzuela>, method=PLAIN, rip=::ffff:10.237.208.211, lip=::ffff:10.237.193.133, TLS
Without TLS dovecot: pop3-login: Disconnected: user=<manuel.fernandez.panzuela>, method=PLAIN, rip=::ffff:10.237.208.211, lip=::ffff:10.237.193.133
Sendmail.mc FEATURE(correo_MFP)dnl LDAPROUTE_DOMAIN(ldapserver.mfernandez.es)dnl SMTPINI_JA(smtpinicial.mfernandez.es)dnl OLD_DOMAIN(correo.mfernandez.es)dnl LOCAL_MAIL_HOST(smtp-incial.mfernandez.es)dnl define(confLDAP_DEFAULT_SPEC,
-h xxx.xxx.xxx.xxx -p 389 -b "o=usuarios,o=mfernandez,c=es" -d "cn=Admin,o=usuarios,o=mfernandez,c=es" -M simple -P /etc/mail/passcorreo')dnl define(ALIAS_FILE',ldap:')dnl FEATURE(virtusertable,LDAP')dnl define(confAUTH_MECHANISMS',PLAIN')dnl TRUST_AUTH_MECH(PLAIN')dnl define(SMART_HOST,mail.mfernandez.es')dnl dnl define(SMART_HOST,localhost')dnl dnl define(ALIAS_FILE', `ldap:-b"" -v rfc822MailMember -k &(objectClass=nisMailAlias)(cn=%0)')dnl dnl correo_MFP - Fin de modificaciones necesarias dnl ************************************************** MAILER(smtp)dnl MAILER(procmail)dnl Cwcorreo.mfernandez.esThank you so much!
2012/5/17 Timo Sirainen <tss@iki.fi>
On 16.5.2012, at 19.36, Manuel Fernández Panzuela wrote:
Hello
I need to authenticate dovecot against openldap. OpenLdap's authentication method requires SHA. How must I set dovecot ? .. #mechanisms = plain SHA .. If I uncomment #mechanisms = plain SHA Dovecot doesn't start, the error: dovecot: auth(default): Unknown authentication mechanism 'SHA'
You're confusing the difference between authentication mechanism and password scheme. http://wiki2.dovecot.org/Authentication
You want to use SHA1 as password scheme but still PLAIN mechanism.
participants (4)
-
Manuel Fernández Panzuela
-
Tim Smith
-
Timo Sirainen
-
Бранко Мајић