On Tue, 2003-01-14 at 13:19, Matt wrote:
> I'm a bit confused.. what am I doing.. if I
> A) don't have a ldaprebind file
> and
> B) I have my userPasswords in clear text?
>
Probably using qmail to authenticate locally by pulling the userPassword
attribute from the LDAP Server. I use ldap-rebind so I don't know what
qmail and do locally. It can probably handle Crypt and clear text
passwords.
Hrm, after checking the source for checkpassword.c it looks like it
parses the userPassword attribute and can handle MD4,MD5,NS-MTA-MD5,
CRYPT, SHA, RMD160 and I assume plain text.
-Matt
> ~ Matt
>
> On Tue, 2003-01-14 at 12:56, Matthew Crocker wrote:
> > On Tue, 2003-01-14 at 12:23, Gary Richardson wrote:
> > > Only CRYPT works for my servers. How do I make other encryption types
> > > work with qmail?
> > >
> >
> > Ok, QMAIL-LDAP has two authentication methods.
> >
> > 1). Pull the UserPassword attribute from the LDAP server and
> > authenticate the supplied password locally. This way will only support
> > Crypt
> >
> > 2). Rebind to the LDAP server using the looked up LDAP DN with the
> > supplied password. This method will support any authentication that the
> > ldap server supports. Make sure your userPassword attributes are in the
> > form of {Crypt}1298372918 or {MD5}asjhqdiuqwyhelku1h32=. Make sure you
> > can bind as the DN before enabling it.
> >
> > Option 1 is bad because the LDAP server is sending the passwords over
> > the wire (TLS or not it is still bad). You should lock down your LDAP
> > server to not allow read access to userPassword except to authenticate.
> >
> > You can enable option 2 by 'echo 1 > /var/qmail/control/ldaprebind'
> >
> > When I imported all the passwords from /etc/shadow I set them up as
> > {CRYPT}. We have a web front end to allow users to reset their password
> > which uses MD5.
> >
> > -Matt
> >
> >
--
Matthew Crocker <[EMAIL PROTECTED]>
Crocker Communications, Inc.
