On Fri, Jul 18, 2003 at 01:42:17AM +0200, Claudio Jeker wrote:
> On Thu, Jul 17, 2003 at 05:00:57PM -0500, Zachary Kotlarek wrote:
> >
> > On Thursday, July 17, 2003, at 04:19 PM, Claudio Jeker wrote:
> >
> > >IMHO the acl settings are OK, there is a more fundamental problem
> > >with the {SHA} salt. I just checked it with one of my servers and
> > >there it
> > >fails to, will have a look at it.
> >
> > {SSHA} will not work with qmail, but {SHA} and the MD5 hashes will.
> > {SSHA} is the default hash now in OpenLDAP, so you'll have to manually
> > specify your desired hash.
> >
>
> The stupid thing is that SHA1 hashes computed by qmail-ldap (e.g. with the digest
> tool) are unusable by OpenLDAPs rebind function.
> Currently I don't know where the problem is.
>
OK, I have found the problem with ldap rebind. Until a few releases ago
it was possible to rebind a already authenticated ldap session to a other
account. At least since 2.0.27 and 2.1.22 rebinding needs a ldap_unbind
first.
To fix this in the current code is not so easy and especially because of
the upcomming changes in the ldap code I will not fix it for the moment.
Unless you are using SSHA as digest you can turn off rebind as a hot fix.
--
:wq Claudio
