[Dovecot] SQL passdb lookups not working
Hello everyone,
I'm trying to make dovecot do user authentication against a SQL database. The passwords (managed by Django) are stored as salted SHA1 encoded in hex. I monkey patched Django's password method so that the password hash is made with <password><salt> (Django does <salt><password>, the patched method was verified to return same value as dovecotpw) and the passwords are stored in the database separately as the salted hash and the salt. When I query the values out of the database, I'm using MySQL's concat function to return the password as {SSHA.hex}<sha1 hash><salt>. Dovecot is not able to verify any passwords right now. I've scoured the wiki and I think my setup is correct...config info is below. Any advice on where to look for debugging or setup of my passwords would be appreciated!
Ben
dovecot-sql.conf:
default_pass_scheme = SSHA.hex
password_query =
SELECT emailmanager_emailaddresses.account AS username,
emailmanager_domain.name AS domain,
CONCAT('{SSHA.hex}',
emailmanager_userprofile.shadigest,
emailmanager_userprofile.salt
) AS password
FROM emailmanager_emailaddresses
JOIN emailmanager_domain ON emailmanager_emailaddresses.id =
emailmanager_domain.id
JOIN emailmanager_userprofile ON
emailmanager_emailaddresses.id = emailmanager_userprofile.id
WHERE emailmanager_emailaddresses.account = '%n'
AND emailmanager_domain.name = '%d'
Just in case someone else runs into this...
I solved the problem that I described below by switching the password encoding to base64. Also, with django, you have to monkey patch (based on info from [1]) the set_password function in django.contrib.auth.models.User. You also have to use a UserProfile like described at [2]. Code below goes in models.py for your project.
import hashlib import base64
from django.contrib.auth.models import User
# Save original User set_password method orig_set_password = User.set_password
def set_password(user, raw_password): if user.id == None: user.save()
# Use the original method to set the django User password:
orig_set_password(user, raw_password)
userprofile, created = UserProfile.objects.get_or_create(user=user)
# Save the salt and sha digest in the correct format for dovecot
m = hashlib.sha1()
userprofile.salt = user.password.split('$')[1]
m.update(raw_password)
m.update(userprofile.salt)
userprofile.shadigest = base64.b64encode(m.digest() + userprofile.salt)
userprofile.save()# Replace the method with the custom set_password User.set_password = set_password
[1] https://github.com/jedie/PyLucid/blob/master/pylucid_project/apps/pylucid/mo... [2] https://docs.djangoproject.com/en/1.3/topics/auth/#storing-additional-inform...
On 8/7/2011 12:53 PM, Benjamin Montgomery wrote:
Hello everyone,
I'm trying to make dovecot do user authentication against a SQL database. The passwords (managed by Django) are stored as salted SHA1 encoded in hex. I monkey patched Django's password method so that the password hash is made with <password><salt> (Django does <salt><password>, the patched method was verified to return same value as dovecotpw) and the passwords are stored in the database separately as the salted hash and the salt. When I query the values out of the database, I'm using MySQL's concat function to return the password as {SSHA.hex}<sha1 hash><salt>. Dovecot is not able to verify any passwords right now. I've scoured the wiki and I think my setup is correct...config info is below. Any advice on where to look for debugging or setup of my passwords would be appreciated!
Ben
dovecot-sql.conf:
default_pass_scheme = SSHA.hex
password_query =
SELECT emailmanager_emailaddresses.account AS username,
emailmanager_domain.name AS domain,
CONCAT('{SSHA.hex}',
emailmanager_userprofile.shadigest,
emailmanager_userprofile.salt
) AS password
FROM emailmanager_emailaddresses
JOIN emailmanager_domain ON emailmanager_emailaddresses.id = emailmanager_domain.id
JOIN emailmanager_userprofile ON emailmanager_emailaddresses.id = emailmanager_userprofile.id
WHERE emailmanager_emailaddresses.account = '%n'
AND emailmanager_domain.name = '%d'
participants (1)
-
Benjamin Montgomery