Double variable expansion / multiple password mechanisms

Karsten Heiken heiken at luis.uni-hannover.de
Tue Jun 14 15:15:32 UTC 2016


Hi Leon,

>> You should be able to add multiple userPassword attributes to your directory:
>>
>> userPassword: {CRAM-MD5}xxx
>> userPassword: {DIGEST-MD5}xxxx
>> userPassword: {SCRAM-SHA-1}xxxx
>> userPassword: {NTLM}xxxx
>
> Did try this, didn't end end well.
> 
> Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,<SQn6QD41TpvLhgGR>): Multiple password values not supported
> [...]

Huh. You're right, I'm sorry.

A few days ago I tried just that - adding a second userPassword to my LDAP and got this result:
> dovecot: auth: Warning: ldap(x,127.0.0.1,<TxHjBz41DumCSwXU>): Multiple values found for 'password', using value '{SSHA}yaddayadda'

Turns out there is still only one password tried, not all of them - which was working as intended on this occasion.

But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup.
If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP.

http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds

This of course only works for passdb lookups.


More information about the dovecot mailing list