Re: [courier-users] authldap problem when not using LDAP_AUTHBIND

Sun, 01 Feb 2009 13:26:33 -0800 

Hi,

Gordon Messmer wrote:

Sebastiaan van Erk wrote:
When I set the password for a mail user using ldappasswd, everything works fine and well. When I change the password using the squirrelmail password change plugin, courier no longer authenticates my user: 
...
However when I change the ldapauth flag LDAP_AUTHBIND to 1 and restart courier-authdaemon, then it does work: 


I believe that's because SSHA hashes are supported by openldap (which 
means AUTHBIND will work when using an SSHA hash), but not by 
courier-authlib.


Thanks for the answer.


However, the strange thing is that it DOES work when I set the LDAP 
password using ldappasswd (also using LDAP_AUTHBIND 0). When I do 
"authtest sebster" right after setting the password this way it shows me 
an {SSHA} password hash:



# ldappasswd -W -D 'cn=admin,dc=dot' -s aaa 
'uid=sebster,ou=users,dc=sebster,dc=com,dc=dot'


After which

# authtest sebster
Authentication succeeded.

     Authenticated: sebster  (uid 2000, gid 2000)
    Home Directory: /data/mail/popboxes/sebster-com/sebster
           Maildir: (none)
             Quota: (none)
Encrypted Password: {SSHA}VozfaTyQG4Gm73fMAdpqyJ0Xz21Bp80B
Cleartext Password: (none)
           Options: wbnodsn=1


Courier authenticates fine against this hash (using LDAP_AUTHBIND 0). 
However as soon as I set the hash through squirrel mail (change 
password), it breaks.



AUTHBIND is usually the way that LDAP clients authenticate.  Allowing 
them to read the hash directly should be avoided whenever possible.


That's a good point. Didn't think of that yet.

Regards,
Sebastiaan


 If 
you have a reason to expose the hashes to clients, you will probably 
need to use a less secure, but more widely supported hash method.  I 
think you can put:


password-hash {CRYPT}

in slapd.conf to use crypt() style hashes by default.





------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users






















					Reply via email to