On Tue, 2003-01-14 at 12:23, Gary Richardson wrote:
> Only CRYPT works for my servers. How do I make other encryption types
> work with qmail?
>
Ok, QMAIL-LDAP has two authentication methods.
1). Pull the UserPassword attribute from the LDAP server and
authenticate the supplied password locally. This way will only support
Crypt
2). Rebind to the LDAP server using the looked up LDAP DN with the
supplied password. This method will support any authentication that the
ldap server supports. Make sure your userPassword attributes are in the
form of {Crypt}1298372918 or {MD5}asjhqdiuqwyhelku1h32=. Make sure you
can bind as the DN before enabling it.
Option 1 is bad because the LDAP server is sending the passwords over
the wire (TLS or not it is still bad). You should lock down your LDAP
server to not allow read access to userPassword except to authenticate.
You can enable option 2 by 'echo 1 > /var/qmail/control/ldaprebind'
When I imported all the passwords from /etc/shadow I set them up as
{CRYPT}. We have a web front end to allow users to reset their password
which uses MD5.
-Matt
