On Thursday 17 of November 2016, Aki Tuomi wrote: > On 17.11.2016 10:30, Arkadiusz Miśkiewicz wrote: > > On Thursday 17 of November 2016, Aki Tuomi wrote: > >> On 17.11.2016 10:14, Arkadiusz Miśkiewicz wrote: > >>> Hello. > >>> > >>> dovecot 2.2.26.0 > >>> > >>> When testing nopassword extra field > >>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5 > >>> dovecot doesn't allow any password (while it should) and returns > >>> > >>> " Authentication failed" > >>> > >>> while in logs: > >>> > >>> Nov 17 08:22:34 auth-worker(1551): Info: > >>> sql(pepe,127.0.0.1,<Y8amDXpBptV/AAAB>): Requested CRAM-MD5 scheme, but > >>> we have a NULL password > >>> > >>> NULL is there because our sql query returns empty password just like > >>> wiki says "nopassword: you want to allow all passwords, use an empty > >>> password and this field. " > >>> > >>> > >>> If password is returned in sql query then it fails, too: > >>> > >>> Nov 17 09:00:49 auth-worker(2206): Error: > >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is > >>> non- empty > >>> > >>> So looks to be a bug. > >> > >> It's not a bug. CRAM-MD5 does in fact require *some* password to work, > > > > Provide fake/random one for nopassword internally. > > > >> you can either store it with doveadm pw -S CRAM-MD5 or as plain text > >> password. > > > > Then I get > > > >>> sql(pepe,127.0.0.1,<eO5vlnpBtNd/AAAB>): nopassword set but password is > >>> non- empty > > > > So that doesn't help > > > > btw. doveadm pw -S is not documented, so no idea what it does > > > >> Aki > > sorry, typo. > > Ment doveadm pw -s CRAM-MD5 > > How do you perceive user login works with CRAM-MD5 if you do not provide > *any* password for the user?
I can provide it and I want to do that but nopassword doesn't let me. > Some passdb backend must provide a password > for the user, if you want to load extra attributes from alternative > backend, use noauthenticate instead of nopassword, but make sure the > last passdb can authenticate the user. Ok, I'll try noauthenticate. > > Aki -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
