I re-directed my question to the OpenLDAP list and got some help there... It
seems that the pw was actually being stored in plain text, but encoded base64
which is why it looked so funny. It also seems that auth_pop was choking on
plain text and crypt passwords for no apparent reason (something I haven't
bothered to investigate). With some experimentation, I found that MD5
passwords work fine so I guess that'll be my method. The MD5 passwords still
look funny when pulled from the database using an ldapsearch because the
{MD5} is also base64-encoded. But when I base64-decode them, they look as
they should and auth_pop is now functioning properly.
An example, my MD5 password "testpass" looks like this from ldapsearch:
userPassword:: e01ENX1GNXJVWEd6aXk1ZlBFQ25pRWdSdWdRPT0=
using python to decode (a trick I had never known about until yesterday when
somebody showed me how):
[eric@europa eric]$ python
Python 2.0 (#1, Apr 11 2001, 19:18:08)
[GCC 2.96 20000731 (Linux-Mandrake 8.0 2.96-0.48mdk)] on linux-i386
Type "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.decodestring('e01ENX1GNXJVWEd6aXk1ZlBFQ25pRWdSdWdRPT0=')
'{MD5}F5rUXGziy5fPECniEgRugQ=='
>>>
[eric@europa eric]$
Check this against the password MD5-encoded by slappasswd:
[eric@metis eric]$ /usr/local/sbin/slappasswd -h {MD5} -s "testpass"
{MD5}F5rUXGziy5fPECniEgRugQ==
[eric@metis eric]$
And you see, the passwords match! btw, I also learned that the double colon
in and ldap search (e.g. userPassword:: ...) simply means that the field has
been stored encoded in base64... Something to look out for in the future.
Thanks for your help,
-Eric
--
arctic bears - the internet - your way.
email hosting from US$8/month, domains from US$19/year.
http://www.arcticbears.com
On July 14, 2001 11:58 am, pop corn wrote:
> Is this working for you yet? I'm concerned that I sidetracked your issue
> with my question about the uid field.
>
>
> From: Eric Paynter <[EMAIL PROTECTED]>
>
> >To: <[EMAIL PROTECTED]>
> >Subject: Can't get auth_pop to auth!
> >Date: Thu, 12 Jul 2001 20:58:19 -0700
> >
> >I'm trying to get auth_pop to work for qmail-pop3d. My test user id is
> >[EMAIL PROTECTED] The password is testpass. I know that auth_pop is
> >hitting the ldap server because I can see it in the syslog. I'm using
> >OpenLDAP 2.0.11, qmail-1.03, qmail-ldap-1.03-20010501
> >
> >Below are outputs from uname, qmail-ldaplookup, ldapsearch, and an
> > auth_pop session. After that is a sample from the syslog indicating that
> > the auth_pop
> >did hit the ldap server. If anybody has any ideas or would like any other
> >info, please let me know. At this point, I'm pretty stumped.
> >
> >Thanks,
> >
> >-Eric
> >
> >[root@metis /root]# uname -a
> >Linux metis.arcticbears.com 2.2.19-4.1mdk #1 Mon Apr 9 10:34:05 MDT 2001
> >i686
> >unknown
> >[root@metis /root]# qmail-ldaplookup -m [EMAIL PROTECTED]
> >init_ldap: passwords are not compared via rebind
> > localdelivery: off
> > clustering: off
> > ldapobjectclass:
> > homedirmaker:
> > defaultDotMode: ldaponly
> > defaultQuota: 10000000S, 10000C
> > QuotaWarning:
> >------
> >Quota Violation: your mailbox is over it's size limit.
> >Please contact [EMAIL PROTECTED] if you have any questions related
> > to this message.
> >
> >------
> >ldap_lookup: searching with
> >(|([EMAIL PROTECTED])([EMAIL PROTECTED]))
> >ldap_lookup: succeeded, found:
> > uid: [EMAIL PROTECTED]
> > qmailUID: 522
> > qmailGID: 521
> > accountStatus: active
> > mailMessageStore:
> > [EMAIL PROTECTED] homeDirectory: (null pointer)
> > mailHost: metis.arcticbears.com
> > mail: [EMAIL PROTECTED]
> > mailAlternateAddress: no entry in the database
> > mailQuota: no entry in the database
> > mailForwardingAddress: no entry in the database
> > deliveryProgramPath: no entry in the database
> > qmailDotMode: no entry in the database
> > deliveryMode: no entry in the database
> > mailReplyText: no entry in the database
> >[root@metis /root]# ldapsearch -h localhost -b 'dc=arcticbears,dc=com'
> >'([EMAIL PROTECTED])'
> >version: 2
> >
> >#
> ># filter: ([EMAIL PROTECTED])
> ># requesting: ALL
> >#
> >
> ># [EMAIL PROTECTED], accounts, dc=arcticbears, dc=com
> >dn: [EMAIL PROTECTED], ou=accounts, dc=arcticbears, dc=com
> >cn: Eric Paynter
> >sn: Paynter
> >objectClass: top
> >objectClass: person
> >objectClass: inetOrgPerson
> >objectClass: qmailUser
> >mail: [EMAIL PROTECTED]
> >mailHost: metis.arcticbears.com
> >mailMessageStore: [EMAIL PROTECTED]
> >uid: [EMAIL PROTECTED]
> >userPassword:: dGVzdHBhc3M=
> >accountStatus: active
> >
> ># search result
> >search: 2
> >result: 0 Success
> >
> ># numResponses: 2
> ># numEntries: 1
> >[root@metis /root]# /var/qmail/bin/qmail-popup localhost \
> >
> > > /var/qmail/bin/auth_pop pwd
> >
> >+OK <23518.994995796@localhost>
> >user [EMAIL PROTECTED]
> >+OK
> >pass testpass
> >-ERR authorization failed
> >
> >Entry in syslog for above command:
> >
> >Jul 12 20:43:23 metis slapd[17219]: daemon: conn=204 fd=9 connection from
> >IP=127.0.0.1:2054 (IP=0.0.0.0:34049) accepted.
> >Jul 12 20:43:23 metis slapd[17225]: conn=204 op=0 BIND dn="" method=128
> >Jul 12 20:43:23 metis slapd[17225]: conn=204 op=0 RESULT tag=97 err=0
> > text= Jul 12 20:43:23 metis slapd[17224]: conn=204 op=1 SRCH
> >base="dc=arcticbears,dc=com" scope=2 filter="([EMAIL PROTECTED])"
> >Jul 12 20:43:23 metis slapd[17224]: conn=204 op=1 SEARCH RESULT tag=101
> >err=0
> >text=
> >Jul 12 20:43:23 metis slapd[17225]: conn=204 op=2 UNBIND
> >Jul 12 20:43:23 metis slapd[17225]: conn=-1 fd=9 closed
> >
> >
> >
> >--
> >arctic bears - the internet - your way.
> >email hosting from US$8/month, domains from US$19/year.
> >http://www.arcticbears.com
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
