BUG: nopassword doesn't work with CRAM-MD5

Arkadiusz Miśkiewicz arekm at maven.pl
Thu Nov 17 08:44:30 UTC 2016 

On Thursday 17 of November 2016, Aki Tuomi wrote:
> On 17.11.2016 10:30, Arkadiusz Miśkiewicz wrote:
> > On Thursday 17 of November 2016, Aki Tuomi wrote:
> >> On 17.11.2016 10:14, Arkadiusz Miśkiewicz wrote:
> >>> Hello.
> >>> 
> >>> dovecot 2.2.26.0
> >>> 
> >>> When testing nopassword extra field
> >>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5
> >>> dovecot doesn't allow any password (while it should) and returns
> >>> 
> >>> " Authentication failed"
> >>> 
> >>> while in logs:
> >>> 
> >>> Nov 17 08:22:34 auth-worker(1551): Info:
> >>> sql(pepe,127.0.0.1,<Y8amDXpBptV/AAAB>): Requested CRAM-MD5 scheme, but
> >>> we have a NULL password
> >>> 
> >>> NULL is there because our sql query returns empty password just like
> >>> wiki says "nopassword:  you want to allow all passwords, use an empty
> >>> password and this field. "
> >>> 
> >>> 
> >>> If password is returned in sql query then it fails, too:
> >>> 
> >>> Nov 17 09:00:49 auth-worker(2206): Error:
> >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is
> >>> non- empty
> >>> 
> >>> So looks to be a bug.
> >> 
> >> It's not a bug. CRAM-MD5 does in fact require *some* password to work,
> > 
> > Provide fake/random one for nopassword internally.
> > 
> >> you can either store it with doveadm pw -S CRAM-MD5 or as plain text
> >> password.
> > 
> > Then I get
> > 
> >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is
> >>> non- empty
> > 
> > So that doesn't help
> > 
> > btw. doveadm pw -S is not documented, so no idea what it does
> > 
> >> Aki
> 
> sorry, typo.
> 
> Ment doveadm pw -s CRAM-MD5
> 
> How do you perceive user login works with CRAM-MD5 if you do not provide
> *any* password for the user? 

I can provide it and I want to do that but nopassword doesn't let me.

> Some passdb backend must provide a password
> for the user, if you want to load extra attributes from alternative
> backend, use noauthenticate instead of nopassword, but make sure the
> last passdb can authenticate the user.

Ok, I'll try noauthenticate.

> 
> Aki


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

More information about the dovecot mailing list