[Dovecot] bug? ldap auth CRAM-MD5

André Höpner a.hoepner at ibased.de
Wed Apr 25 20:07:35 EEST 2007

Hello list,

our users are authenticated against ldap-server.
anything works fine...

dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=,
lip=, secured

but now we want to use secure passwords and not
only plain over ssl. so we configured dovecot to use
cram-md5 and configured the ldap-server with CRAM-MD5
passwords. as client we used thunderbird 2.0 and a
webfrontend called roundcube.
that does not work, because the server gives...

dovecot: auth(default): ldap(xxx, Password mismatch

then we tried to use DIGEST-MD5. we changed the ldap
password to the created one with dovecotpw.
but this doesnt work too. thunderbird requests CRAM-MD5
and not DIGEST-MD5.

so the log says:
dovecot: auth(default): password(xxx, Requested CRAM-MD5 scheme,
but we have only DIGEST-MD5
imap-login: Aborted login: user=<xxx>, method=CRAM-MD5

after that we changed the password back to CRAM-MD5, but
we mad the failure not to delete the DIGEST-MD5 value.
so the users had 2 passwords set...


password is "test" in both cases.
on the next try we start thunderbird it works. i dont know
why and the log of dovecot says...

auth(default): ldap(xxx, Multiple password values not supported
imap-login: Login: user=<xxx>, method=CRAM-MD5, rip=,
lip=, secured

user was logged in using CRAM-MD5. it's not nice but it works.
anyone have an idea why? because of apache-module to auth against
ldap and apache doesnt support nor CRAM-MD5 or DIGEST-MD5 we
have set the password third time using MD5.

So every user has three same passwords with different encryptions.
Not nice - but it works. But what can we do to change this. I dont
like to set passwords three times.

our configuration:

# /etc/dovecot/dovecot.conf
ssl_cert_file: /etc/ssl/ssl.pem
ssl_key_file: /etc/ssl/ssl.key
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/imap-login
mail_extra_groups: mail
mail_location: mbox:/var/mail/dovecot/%n:INDEX=/var/mail/dovecot/indexes/%n
mail_plugins: quota imap_quota
auth default:
  mechanisms: plain login cram-md5 digest-md5
  verbose: yes
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
  quota: maildir:storage=1024


# /etc/dovecot/dovecot-ldap.conf
hosts =
dn = cn=dovecot,dc=xxx,dc=com
dnpass = dovecot

sasl_bind = no
sasl_mech = DIGEST-MD5
tls = no
auth_bind = no

ldap_version = 3
base = ou=People,dc=xxx,dc=com
scope = subtree

user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))

default_pass_scheme = DIGEST-MD5


best regards

More information about the dovecot mailing list