On 17.11.2016 10:30, Arkadiusz Miśkiewicz wrote: > On Thursday 17 of November 2016, Aki Tuomi wrote: >> On 17.11.2016 10:14, Arkadiusz Miśkiewicz wrote: >>> Hello. >>> >>> dovecot 2.2.26.0 >>> >>> When testing nopassword extra field >>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5 >>> dovecot doesn't allow any password (while it should) and returns >>> >>> " Authentication failed" >>> >>> while in logs: >>> >>> Nov 17 08:22:34 auth-worker(1551): Info: >>> sql(pepe,127.0.0.1,<Y8amDXpBptV/AAAB>): Requested CRAM-MD5 scheme, but we >>> have a NULL password >>> >>> NULL is there because our sql query returns empty password just like wiki >>> says "nopassword: you want to allow all passwords, use an empty >>> password and this field. " >>> >>> >>> If password is returned in sql query then it fails, too: >>> >>> Nov 17 09:00:49 auth-worker(2206): Error: >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is >>> non- empty >>> >>> So looks to be a bug. >> It's not a bug. CRAM-MD5 does in fact require *some* password to work, > Provide fake/random one for nopassword internally. > >> you can either store it with doveadm pw -S CRAM-MD5 or as plain text >> password. > Then I get > >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is >>> non- empty > So that doesn't help > > btw. doveadm pw -S is not documented, so no idea what it does > >> Aki sorry, typo.
Ment doveadm pw -s CRAM-MD5 How do you perceive user login works with CRAM-MD5 if you do not provide *any* password for the user? Some passdb backend must provide a password for the user, if you want to load extra attributes from alternative backend, use noauthenticate instead of nopassword, but make sure the last passdb can authenticate the user. Aki
