Problems generating LDAP passwords for Dovecot POP3/IMAP daemon...

Luis Motta Campos monsieur_champs at
Sat Aug 19 21:14:09 BST 2006

  I'm facing a fancy problem here: I'm writting a Catalyst-based
intranet website to my company, and the first feature I need to throw in
is password changing so the users can change his/her own
mail/intranet/filesystem/etc. passwords, without having to see the ugly
system administrator face.

  Everything goes fine until I tryied to change my own password and
fetch emails trought POP (so I make sure password changing works).

  I fell surprised when I received a "authentication failed" message
from the mail client, and started trying other services to figure out
whats going on. The only service that doesn't work is Dovecot's
POP3/IMAP authentication trought LDAP. All other services are fine with
the just-changed password.

  One interesting thing about Dovecot is that it needs to read in the
password from LDAP and crypt() it to authenticate a user. I have no
other service that authenticate users this way. Every other service uses
bind() to authenticate users.

  I tryied (without any response) a mail to dovecot at, and
asked my perl fellows at Cascavel-PM about this issue. Suggestions I've
already tried to implement to make it work:

  1. Need to MIME::Base64::encode_base64() the strign
"{SCHEMA}crypted_password" before stuffing it on the LDAP.
  2. Need to MIME::Base64::encode_base64() the string
"crypted_password", add the {SCHEMA} prefix and then stuff into the LDAP.
  3. Just encode_base64( crypt( $password, SALT ) ) and stuff into LDAP.
  4. Forget encode_base64, try all the alternatives again.
  5. Just stuff $password into Net::LDAP, it knows what it is doing.

  I have a small code that tryies to reproduce error attached. Guess
this could be useful.

  I'm using Debian Linux, with following versions:

  Package             Version
  ----                ----
  dovecot-common      0.99.14-1sarge0
  dovecot-imapd       0.99.14-1sarge0
  dovecot-pop3d       0.99.14-1sarge0
  perl                5.8.4-8sarge4
  libnet-ldap-perl    0.3202-3
  apache-perl         1.3.33-6sarge2
  slapd               2.2.23-8
  kernel-image-2.4.2  2.4.27-10sarge1

  I'm using Net::LDAP(v0.32) to access the LDAP to change password.

  I'm thinking seriously about the hypothese all this mess is caused by
the wrong crypt()'s SALT choice. Mine was copyied from $(perldoc -f
crypt), and it seems to work fine.

  Anybody here knows how Dovecot deals with passwords, or can provide me
some perl code do LDAP handle password changing in such a way that
Dovecot likes it?

  Ah! One last information: when I change passwords using ldappasswd
everything goes fine, and my LDAP have default encryption schema setted
to CRYPT, as required by Dovecot.

  Thank you very much.
 Luis Motta Campos is Software Engineer, Oracle OCP/DBA, Un*x
 Sysadmin, Member of {Lisbon,São Paulo,Cascavel,Brasil,London}
 Perl Mongers and Perl Fanatic Evangelist
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: passwd

More information about the mailing list