[Dovecot] Re: ldap SMD5 vs. CRYPT
Adam Pordzik
adresseverbummelt at gmx.de
Fri Oct 8 04:35:36 EEST 2004
Joshua Goodall wrote:
> On Tue, Oct 05, 2004 at 03:14:58PM +0200, Adam Pordzik wrote:
>
> > Hello,
> >
> > am I right, that dovecot can't cope with ldap so authentification
> > is handled by ldap itself? And, for that I have to use {CRYPT} and
> > cannot use other mechanisms as {SMD5}
> Dovecot doesn't support handing off authentication to LDAP, unless
> you use PAM (which eliminates the possibility of CRAM-MD5 or DIGEST-MD5
> authentication).
Thank you. I've now also read Timo's posts on that.
> Dovecot supports the RFC2307 userPassword LDAP attribute and through
> that the following schemes:
>
Anyway, I've recompiled OpenLDAP with crypt support, since in addition
it also offers a more simple way to migrate existing posix acocunts.
Although I appreciate your work I doubt that this is the right way:
Everytime a new encryption comes to any ldap-server, dovecot has to
follow. I'm really, really no Unix/C programer, so I can't appraise
what makes more work: To (re-)implement a new hash algorithm or to
support auth. ldap binds.
So, might it be better to abandon ldap entirely, to advantage of pam?
Or, maintaining a separate attribute "dovecotUserPasswort" or something
like that, with an algorithm dovedot can handle.
> {MD5} (note: Dovecot's {MD5} differs from LDAP's {MD5})
Does that means that dovecot can't authenticate users with an OpenLDAP
MD5 hash?
> You can fix the MD5 issue and gain support for {SMD5} with my patch
> at http://www.roughtrade.net/dovecot/dovecot-ldap-md5-quirk-0.99.10.6.diff
> although I haven't tested this recently. Let me know if it works for you.
Aha. But patching sources isn't my thing. After doing such, more things
will be broken as before... :-(
A
--
More information about the dovecot
mailing list