Hi,
I got a problem with ldapauth and passwords hashed with SSHA.
I wrote my own authenticator:
plainldap_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if \
and { \
{ \
ldapauth \
{ \
user="uid=${quote_ldap_dn:$auth2},cn=users,dc=XXX,dc=de" \
pass=${quote_ldap:$auth3} \
ldap://xx.xx.xx.xx/ \
} \
} \
{ \
eq \
{ \
${lookup ldap{ldap://xx.xx.xx.xx/cn=smtp,cn=users,dc=XXX,dc=de?memberUid?sub?memberUid=${quote_ldap:$auth2}}{yes}{no}} \
} \
{ yes } \
} \
} \
{yes} \
{no} \
}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
This worked fine over months. All passwords where stored as MD5 hashes (I'm
using cpu [1] for managing LDAP users and MD5 is the default hashing algo).
But some weeks ago I wrote a web interface for users to change their passwords.
This interface is using a Perl module [2]. If a user changed his password, the
new password will be hashed as SSHA (default for slapd when option
olcPasswordHash is unset).
If this happend, Exim refuses to authenticate this user. I tried this by hand -
I have to change the password hashing algo back to MD5 and everthing is working
again. However - all other authentication via pam.d works fine with SSHA.
I tried to figure out if there are known flaws with Exim's ldapauth vs. LDAP
SSHA, but google don't help me. Any ideas what I'm doing wrong?
I am using Debian Testing with Exim 4.80 and slapd 2.4.31.
Greetings
Meinhard
[1]:
http://cpu.sourceforge.net/
[2]:
http://search.cpan.org/~marschap/perl-ldap-0.44/lib/Net/LDAP/Extension/SetPassword.pm
