dovecot 2.2.28 password auth with openldap

[Sven Hartge]

Markus Rosjat <rosjat at ghweb.de> wrote:

> I desperatly trying to store a BLF-CRYPT password hash in an LDAP
> userPassword Attribute and get dovecot to authenticate against it.

You (normally) can't, because the userPassword attribute is kind of
"magic" for the LDAP-Server.

OpenLDAP supports several internal schemes ({SSHA} the most used) and
the wildcard scheme {CRYPT} (no, this does not mean the weak old
crypt()-style password "obfuscation") which gets passed through to the
glibc and supports every password encryption scheme your glibc supports.

See crypt(3) and the NOTES section. 

To configure OpenLDAP to use SHA512 with 5000 rounds (default) and a
128bit salt, put this into your slapd.conf:

,----
| password-hash {CRYPT}
| password-crypt-salt-format "$6$%.16s"
`----

Any password passed via EXOP to this server will then be hashed in the
configured way. 

Or you can create the hash yourself, provided that you keep the format
as outlined in cyrpt(3).

Or, as a really last resort, you can allow dovecot to read the attribute
from LDAP (needs different ACLs and degrades the LDAP server to a simple
database) and to the authentication itself, then you don't need to care
if the LDAP server can understand the format. But by doing so the LDAP
server can no longer authenticate the user itself.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.