[Dovecot] LDAP, MD5-CRYPT, invalid credentials, BUG or config issue?
Hi,
I read a lot of howto's and I got problems with LDAP and Dovecot to work together.
I'm using: Gentoo Linux 2008.0 hardened Dovecot 1.1.7 Kernel 2.6.26 OpenLDAP 2.3.43
My dovecot-ldap.conf is: uris = ldaps://auth.mydomain.com:636 auth_bind = yes auth_bind_userdn = uid=%u,ou=People,dc=mydomain,dc=com ldap_version = 3 base = ou=People,dc=mydomain,dc=com deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = CRYPT
I also tried default_pass_scheme = MD5-CRYPT
In the logs I find smething like this:
Feb 16 12:20:49 mail dovecot: Dovecot v1.1.7 starting up
Feb 16 12:20:50 mail dovecot: auth(default): new auth connection: pid=30582
Feb 16 12:20:50 mail dovecot: auth(default): new auth connection: pid=30583
Feb 16 12:20:50 mail dovecot: auth(default): new auth connection: pid=30584
Feb 16 12:20:53 mail dovecot: auth(default): new auth connection: pid=30585
Feb 16 12:20:58 mail dovecot: auth(default): client in: AUTH 1
PLAIN service=imap secured lip=172.30.0.10 rip=172.30.0.254
lport=993
rport=51269
Feb 16 12:20:58 mail dovecot: auth(default): client out: CONT 1
Feb 16 12:20:58 mail dovecot: auth(default): client in: CONT 1
AGd1ZW50aGVyADE*********=
Feb 16 12:20:58 mail dovecot: auth(default):
ldap(guenther,172.30.0.254): invalid credentials
Feb 16 12:21:00 mail dovecot: auth(default): client out: FAIL 1
user=guenther
Feb 16 12:21:00 mail dovecot: auth(default): client in: AUTH 2
PLAIN service=imap secured lip=172.30.0.10 rip=172.30.0.254
lport=993
rport=51269 resp=AGd1ZW50aGVyADE*********=
Feb 16 12:21:00 mail dovecot: auth(default):
ldap(guenther,172.30.0.254): invalid credentials
Feb 16 12:21:02 mail dovecot: auth(default): client out: FAIL 2
user=guenther
It seems dovecot ignores the CRYPT password scheme. The password seems to be encrypted in SSHA.
What am I doing wrong please?? I am sure, the password is correct as I can login into the machine via nss_ldap and pam_ldap.
Regards
Günther
On Mon, Feb 16, 2009 at 12:28:54PM +0100, Guenther Falk wrote:
My dovecot-ldap.conf is: auth_bind = yes auth_bind_userdn = uid=%u,ou=People,dc=mydomain,dc=com [...] default_pass_scheme = CRYPT [...] It seems dovecot ignores the CRYPT password scheme. The password seems to be encrypted in SSHA.
If you use auth_bind, then the password scheme specified in dovecot-ldap.conf is irrelevant, as the password comparison will be done by the LDAP server (cf. http://wiki.dovecot.org/AuthDatabase/LDAP).
Also, your logs show the communication between the two Dovecot components responsible for the auth process, not between Dovecot and the LDAP server. You may want to check you OpenLDAP logs to see what's going on.
participants (2)
-
Guenther Falk
-
Ulrich Zehl