[Dovecot] SQL passdb lookups not working

Benjamin Montgomery bmontgom at montynet.org
Sun Aug 14 18:19:25 EEST 2011 

Just in case someone else runs into this...

I solved the problem that I described below by switching the password 
encoding to base64.  Also, with django, you have to monkey patch (based 
on info from [1]) the set_password function in 
django.contrib.auth.models.User.  You also have to use a UserProfile 
like described at [2].  Code below goes in models.py for your project.

import hashlib
import base64

from django.contrib.auth.models import User

# Save original User set_password method
orig_set_password = User.set_password

def set_password(user, raw_password):
     if user.id == None:
         user.save()

     # Use the original method to set the django User password:
     orig_set_password(user, raw_password)

     userprofile, created = UserProfile.objects.get_or_create(user=user)

     # Save the salt and sha digest in the correct format for dovecot
     m = hashlib.sha1()

     userprofile.salt = user.password.split('$')[1]

     m.update(raw_password)
     m.update(userprofile.salt)

     userprofile.shadigest = base64.b64encode(m.digest() + userprofile.salt)

     userprofile.save()

# Replace the method with the custom set_password
User.set_password = set_password

[1] 
https://github.com/jedie/PyLucid/blob/master/pylucid_project/apps/pylucid/models/userprofile.py
[2] 
https://docs.djangoproject.com/en/1.3/topics/auth/#storing-additional-information-about-users

On 8/7/2011 12:53 PM, Benjamin Montgomery wrote:
> Hello everyone,
>
> I'm trying to make dovecot do user authentication against a SQL
> database. The passwords (managed by Django) are stored as salted SHA1
> encoded in hex. I monkey patched Django's password method so that the
> password hash is made with <password><salt> (Django does
> <salt><password>, the patched method was verified to return same value
> as dovecotpw) and the passwords are stored in the database separately as
> the salted hash and the salt. When I query the values out of the
> database, I'm using MySQL's concat function to return the password as
> {SSHA.hex}<sha1 hash><salt>. Dovecot is not able to verify any passwords
> right now. I've scoured the wiki and I think my setup is
> correct...config info is below. Any advice on where to look for
> debugging or setup of my passwords would be appreciated!
>
> Ben
>
>
> dovecot-sql.conf:
>
> default_pass_scheme = SSHA.hex
>
> password_query = \
> SELECT emailmanager_emailaddresses.account AS username, \
> emailmanager_domain.name AS domain, \
> CONCAT('{SSHA.hex}', \
> emailmanager_userprofile.shadigest, \
> emailmanager_userprofile.salt \
> ) AS password \
> FROM emailmanager_emailaddresses \
> JOIN emailmanager_domain ON emailmanager_emailaddresses.id =
> emailmanager_domain.id \
> JOIN emailmanager_userprofile ON emailmanager_emailaddresses.id =
> emailmanager_userprofile.id \
> WHERE emailmanager_emailaddresses.account = '%n' \
> AND emailmanager_domain.name = '%d'

More information about the dovecot mailing list