Re: Problem with 389-ds authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 8 Mar 2023, at 00:37, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:
> 
> What rpm version of 389-ds-base are you using?  Is it the same on both systems?
> 
> In newer versions the standard storage scheme is PBKDF2-SHA512. Is your client trying to read or add already hashed passwords? Not sure why dovecot, or any client, would be complaining about an unknown password storage scheme since it should not know anything about the password storage scheme as it's supposed to be handled by the Directory Server internally.

You're bang on the money here Mark. Lots of "older" unix applications like dovecot *read* the raw hashes and try to actually compute and compare them themselves, rather than sending the pw cleartext and letting the ldap server do the work. 

>> 
>> dovecot[721505]: auth: Error: ldap(USERNAME): Unknown scheme PBKDF2-SHA512
>> 
>> Changing password for a user will allow authentication against the LDAP from the smtp server, but when the imap server authenticates and use auth_bind, then no LDAP authentication is possible do on the smtp server and the above error message appears again for the user.
>> 
>> I found out, that when I also use auth_bind for Dovecot on the smtp server everything works.
>> 
>> What I hope someone could explain for me is, what's happening with the slave queries against the 389-ds ro server instance when the imap server authenticates the user with auth_bind enabled and the smtp server cannot authenticate the user when auth_bind is not enabled.

It'll be a config on the dovecot or postfix side. 

It's been about 10 years since I ran dovecot for IMAP+SASL, but this sounds like an issue with how postfix is working with dovecot for the user/auth process. 

Sorry I don't think we can help much in this case :( 

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux