[exim] ldapauth and SSHA

Top Page
Delete this message
Reply to this message
Author: Meinhard Schneider
Date:  
To: exim-users
Subject: [exim] ldapauth and SSHA
Hi,

I got a problem with ldapauth and passwords hashed with SSHA.

I wrote my own authenticator:
plainldap_server:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if \
    and { \
      { \
        ldapauth \
        { \
          user="uid=${quote_ldap_dn:$auth2},cn=users,dc=XXX,dc=de" \
          pass=${quote_ldap:$auth3} \
          ldap://xx.xx.xx.xx/ \
        } \
      } \
      { \
        eq \
        { \
          ${lookup ldap{ldap://xx.xx.xx.xx/cn=smtp,cn=users,dc=XXX,dc=de?memberUid?sub?memberUid=${quote_ldap:$auth2}}{yes}{no}} \
        } \
        { yes } \
      } \
    } \
    {yes} \
    {no} \
  }
  server_set_id = $auth2
  server_prompts = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif



This worked fine over months. All passwords where stored as MD5 hashes (I'm
using cpu [1] for managing LDAP users and MD5 is the default hashing algo).
But some weeks ago I wrote a web interface for users to change their passwords.
This interface is using a Perl module [2]. If a user changed his password, the
new password will be hashed as SSHA (default for slapd when option
olcPasswordHash is unset).
If this happend, Exim refuses to authenticate this user. I tried this by hand -
I have to change the password hashing algo back to MD5 and everthing is working
again. However - all other authentication via pam.d works fine with SSHA.

I tried to figure out if there are known flaws with Exim's ldapauth vs. LDAP
SSHA, but google don't help me. Any ideas what I'm doing wrong?

I am using Debian Testing with Exim 4.80 and slapd 2.4.31.

Greetings
Meinhard

[1]: http://cpu.sourceforge.net/
[2]: http://search.cpan.org/~marschap/perl-ldap-0.44/lib/Net/LDAP/Extension/SetPassword.pm