Problems generating LDAP passwords for Dovecot POP3/IMAP daemon...

Luis Motta Campos monsieur_champs at yahoo.com.br
Sat Aug 19 21:14:09 BST 2006 

  I'm facing a fancy problem here: I'm writting a Catalyst-based
intranet website to my company, and the first feature I need to throw in
is password changing so the users can change his/her own
mail/intranet/filesystem/etc. passwords, without having to see the ugly
system administrator face.

  Everything goes fine until I tryied to change my own password and
fetch emails trought POP (so I make sure password changing works).

  I fell surprised when I received a "authentication failed" message
from the mail client, and started trying other services to figure out
whats going on. The only service that doesn't work is Dovecot's
POP3/IMAP authentication trought LDAP. All other services are fine with
the just-changed password.

  One interesting thing about Dovecot is that it needs to read in the
password from LDAP and crypt() it to authenticate a user. I have no
other service that authenticate users this way. Every other service uses
bind() to authenticate users.

  I tryied (without any response) a mail to dovecot at dovecot.org, and
asked my perl fellows at Cascavel-PM about this issue. Suggestions I've
already tried to implement to make it work:

  1. Need to MIME::Base64::encode_base64() the strign
"{SCHEMA}crypted_password" before stuffing it on the LDAP.
  2. Need to MIME::Base64::encode_base64() the string
"crypted_password", add the {SCHEMA} prefix and then stuff into the LDAP.
  3. Just encode_base64( crypt( $password, SALT ) ) and stuff into LDAP.
  4. Forget encode_base64, try all the alternatives again.
  5. Just stuff $password into Net::LDAP, it knows what it is doing.

  I have a small code that tryies to reproduce error attached. Guess
this could be useful.

  I'm using Debian Linux, with following versions:

  Package             Version
  ----                ----
  dovecot-common      0.99.14-1sarge0
  dovecot-imapd       0.99.14-1sarge0
  dovecot-pop3d       0.99.14-1sarge0
  perl                5.8.4-8sarge4
  libnet-ldap-perl    0.3202-3
  apache-perl         1.3.33-6sarge2
  slapd               2.2.23-8
  kernel-image-2.4.2  2.4.27-10sarge1


  I'm using Net::LDAP(v0.32) to access the LDAP to change password.

  I'm thinking seriously about the hypothese all this mess is caused by
the wrong crypt()'s SALT choice. Mine was copyied from $(perldoc -f
crypt), and it seems to work fine.

  Anybody here knows how Dovecot deals with passwords, or can provide me
some perl code do LDAP handle password changing in such a way that
Dovecot likes it?

  Ah! One last information: when I change passwords using ldappasswd
everything goes fine, and my LDAP have default encryption schema setted
to CRYPT, as required by Dovecot.

  Thank you very much.
  Regards.
-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Luis Motta Campos is Software Engineer, Oracle OCP/DBA, Un*x
 Sysadmin, Member of {Lisbon,São Paulo,Cascavel,Brasil,London}
 Perl Mongers and Perl Fanatic Evangelist
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: passwd
Url: http://london.pm.org/pipermail/london.pm/attachments/20060819/f4552e3e/passwd.ksh

More information about the london.pm mailing list