BUG: nopassword doesn't work with CRAM-MD5
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Nov 17 08:35:57 UTC 2016
On 17.11.2016 10:30, Arkadiusz Miśkiewicz wrote:
> On Thursday 17 of November 2016, Aki Tuomi wrote:
>> On 17.11.2016 10:14, Arkadiusz Miśkiewicz wrote:
>>> Hello.
>>>
>>> dovecot 2.2.26.0
>>>
>>> When testing nopassword extra field
>>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5
>>> dovecot doesn't allow any password (while it should) and returns
>>>
>>> " Authentication failed"
>>>
>>> while in logs:
>>>
>>> Nov 17 08:22:34 auth-worker(1551): Info:
>>> sql(pepe,127.0.0.1,<Y8amDXpBptV/AAAB>): Requested CRAM-MD5 scheme, but we
>>> have a NULL password
>>>
>>> NULL is there because our sql query returns empty password just like wiki
>>> says "nopassword: you want to allow all passwords, use an empty
>>> password and this field. "
>>>
>>>
>>> If password is returned in sql query then it fails, too:
>>>
>>> Nov 17 09:00:49 auth-worker(2206): Error:
>>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is
>>> non- empty
>>>
>>> So looks to be a bug.
>> It's not a bug. CRAM-MD5 does in fact require *some* password to work,
> Provide fake/random one for nopassword internally.
>
>> you can either store it with doveadm pw -S CRAM-MD5 or as plain text
>> password.
> Then I get
>
>>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is
>>> non- empty
> So that doesn't help
>
> btw. doveadm pw -S is not documented, so no idea what it does
>
>> Aki
sorry, typo.
Ment doveadm pw -s CRAM-MD5
How do you perceive user login works with CRAM-MD5 if you do not provide
*any* password for the user? Some passdb backend must provide a password
for the user, if you want to load extra attributes from alternative
backend, use noauthenticate instead of nopassword, but make sure the
last passdb can authenticate the user.
Aki
More information about the dovecot
mailing list