Password mismatch after upgrade to Ubuntu Focal
Hi!
Today I upgraded one of our Dovecot servers from Ubuntu 18.04 to Ubuntu 20.04. After the upgrade I have login issues because the password didn't match.
I also installed Dovecot on a clean Ubuntu 20.04 server with the same configuration files. And here I also got the password match issue.
We're using LDAP for managing the login credentials and I'm 100% sure the password is correct. With the debug options on, you will see something like this:
CRYPT(
Does somebody know if there are know issues with Dovecot 2.3.7.2- 1ubuntu3.1 on Ubuntu 20.04 and with the LDAP driver?
dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 () # OS: Linux 5.4.0-33-generic x86_64 Ubuntu 20.04 LTS ceph # Hostname: server.example.tld auth_verbose = yes disable_plaintext_auth = no listen = *, [::] log_timestamp = "%Y-%m-%d %H:%M:%S " login_greeting = POP/IMAP Service ready. mail_fsync = always mail_location = maildir:/mail/%u mail_privileged_group = mail passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile:/etc/dovecot/acls/:cache_secs=30 autosubscribe = Trash autosubscribe2 = Sent autosubscribe3 = Drafts } protocols = imap pop3 service auth { user = root } service imap-create-folder { executable = script-login /usr/local/sbin/dovecot-create-dirs.sh } service imap-login { process_min_avail = 15 service_count = 0 } service imap { executable = imap imap-create-folder } service pop3-login { process_min_avail = 15 service_count = 0 } service pop3 { drop_priv_before_exec = yes } ssl = no userdb { driver = prefetch } protocol imap { mail_max_userip_connections = 25 mail_plugins = acl } protocol pop3 { pop3_uidl_format = %f }
/etc/dovecot/dovecot-ldap.conf
hosts = ldap.server.example.tld
dn = <XXXXX> dnpass = <XXXXX> auth_bind = no ldap_version = 3 base = <XXXXX>
pass_attrs = <XXXXX> pass_filter = <XXXXX>
Thanks!
Jeffrey
On Mon, 2020-06-15 at 12:24 +0200, Jeffrey van Doesburg wrote:
Hi!
Today I upgraded one of our Dovecot servers from Ubuntu 18.04 to Ubuntu 20.04. After the upgrade I have login issues because the password didn't match.
I also installed Dovecot on a clean Ubuntu 20.04 server with the same configuration files. And here I also got the password match issue.
We're using LDAP for managing the login credentials and I'm 100% sure the password is correct. With the debug options on, you will see something like this:
CRYPT(
) != '$6$ ' Does somebody know if there are know issues with Dovecot 2.3.7.2- 1ubuntu3.1 on Ubuntu 20.04 and with the LDAP driver?
Hi,
Little update about the "password mismatch" error. I tried different versions of Dovecot on Ubuntu 18.04 and 20.04. And it looks like it's something in Ubuntu that cause the error. Because Dovecot 2.3.10.1 works fine on Bionic and on Focal it gives a "password mismatch" message.
Focal:
- 2.3.7.2-1ubuntu3.1 from Ubuntu main repo (Password Mismatch)
- 2.3.10.1 compiled from source (Password Mismatch)
Bionic:
- 2.2.33.2-1ubuntu4.5 from Ubuntu main repo (IMAP works)
- 2.3.10.1 compiled from source (IMAP works)
If someone has a clue, I would like to hear it! :)
"Jeffrey" == Jeffrey van Doesburg jeffrey@bit.nl writes:
Jeffrey> On Mon, 2020-06-15 at 12:24 +0200, Jeffrey van Doesburg wrote:
Hi!
Today I upgraded one of our Dovecot servers from Ubuntu 18.04 to Ubuntu 20.04. After the upgrade I have login issues because the password didn't match.
I also installed Dovecot on a clean Ubuntu 20.04 server with the same configuration files. And here I also got the password match issue.
We're using LDAP for managing the login credentials and I'm 100% sure the password is correct. With the debug options on, you will see something like this:
CRYPT(
) != '$6$ ' Does somebody know if there are know issues with Dovecot 2.3.7.2- 1ubuntu3.1 on Ubuntu 20.04 and with the LDAP driver?
Jeffrey> Little update about the "password mismatch" error. I tried Jeffrey> different versions of Dovecot on Ubuntu 18.04 and 20.04. And Jeffrey> it looks like it's something in Ubuntu that cause the Jeffrey> error. Because Dovecot 2.3.10.1 works fine on Bionic and on Jeffrey> Focal it gives a "password mismatch" message.
Jeffrey> Focal: Jeffrey> - 2.3.7.2-1ubuntu3.1 from Ubuntu main repo (Password Mismatch) Jeffrey> - 2.3.10.1 compiled from source (Password Mismatch)
Jeffrey> Bionic: Jeffrey> - 2.2.33.2-1ubuntu4.5 from Ubuntu main repo (IMAP works) Jeffrey> - 2.3.10.1 compiled from source (IMAP works)
Jeffrey> If someone has a clue, I would like to hear it! :)
What if you compile on Bionic and run it on Focal, does it still work or fail? Can you give the 'ldd' output of each as well, so we can see which versions of the various libraries you have installed?
And what about if you don't use LDAP, but just use an sqlite3 or even just a plain flat file for authentication, to try and figure out if it's dovecot's problem, or maybe something in LDAP that changed as well?
My dovecot setup just uses sqlite3, so I can't really help much on the LDAP side.
Good luck! John
On Mon, 2020-06-15 at 22:44 -0400, John Stoffel wrote:
And what about if you don't use LDAP, but just use an sqlite3 or even just a plain flat file for authentication, to try and figure out if it's dovecot's problem, or maybe something in LDAP that changed as well?
Hi John,
Thanks for your reply! We already found the issue, we're using a special character in our salt which isn't allowed (anymore?). After changing the salt, LDAP authentication is working again on Ubuntu Focal.
Thanks again!
Jeffrey> On Mon, 2020-06-15 at 22:44 -0400, John Stoffel wrote:
And what about if you don't use LDAP, but just use an sqlite3 or even just a plain flat file for authentication, to try and figure out if it's dovecot's problem, or maybe something in LDAP that changed as well?
Jeffrey> Thanks for your reply! We already found the issue, we're using a Jeffrey> special character in our salt which isn't allowed (anymore?). After Jeffrey> changing the salt, LDAP authentication is working again on Ubuntu Jeffrey> Focal.
Great news, can you post more details so that other's don't run into the same problem? Knowing the salt value isn't a bad thing....
John
On Tue, 2020-06-16 at 08:47 -0400, John Stoffel wrote:
Jeffrey> Thanks for your reply! We already found the issue, we're using a Jeffrey> special character in our salt which isn't allowed (anymore?). After Jeffrey> changing the salt, LDAP authentication is working again on Ubuntu Jeffrey> Focal.
Great news, can you post more details so that other's don't run into the same problem? Knowing the salt value isn't a bad thing....
Ofcourse! We generated a unique salt for each password with the characters: "A-Za-z0-9./~=[];':!-()". This worked fine for years, until the upgrade to Ubuntu Focal.
After (long) debugging, we found out that only the following characters are accepted for generating a valid salt: "./0-9A-Za-z"
So if you generate a salt for SHA, only use these characters: "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".
participants (2)
-
Jeffrey van Doesburg
-
John Stoffel