aaron at engr
Mar 2, 2002, 11:03 PM
Post #12 of 15
(1268 views)
Permalink
|
Who'd a thunk it, but I've been searching around on this "munged password
field" and it is actually something of a de-facto standard now! Bah!
Basically, OpenLDAP's userPassword field (according to standards compliance)
only took plain text passwords. But lots of different vendors, with whom
OpenLDAP wanted to be compatible, were using different hashes (cough M$ cough)
and so they did this same extension to their password field.
So without too much more jabbering, I'd like to hear from Eelco or Roel on
possibly incorporating this mechanism (yeah yeah, don't worry, I'll write the
code ;-)
Aaron
Aaron Stone <aaron [at] engr> said:
> I'm thinking about this more, and more, and I like it. Minimal changes to and
> of the tables, and very straight forward to set up the password layer here.
>
> Two issues, though. One, why are we using a munged password field, that
> requires some text processing and whatnot to discover the type of data stored?
> Seems silly. Should just add a new field for the password type.
>
> Two, there's two points at which a user is looked up. One for logging in, and
> one for receiving mail. My LDAP hacks also obsolete the aliases table by
> forcing all lookups for incoming email addresses to search in the LDAP for the
> user supposed to receive that mail. I think this is the right way for that to
> happen.
>
> However, I did have a bunch of issues with certain "builtin" accounts. Like
> postmaster. That account MUST exist according to RFC's, and so I had to set it
> up on the LDAP end with an email alias to a user account. INHO, this account
> should be built into dbmail (not hardcoded, but distributed in the database
> definition certainly). This would also be the default administrative user
> account for whatever web based administration interfaces that (if) ever get
> written.
>
> So lemme bottom line this: a "fallback list" of incoming lookups, and a type
> field for existing user password lookups. What are thinks?
>
> Aaron
>
> Aaron Stone <aaron [at] engr> said:
>
> > It would probably be better to use a new command line option, rather than
> > hacking on the existing option. There might be several styles of password hash
> > that people might want to use...
> >
> > For example, what if I implemented my LDAP hack within your framework? So the
> > password field might be "{LDAP}:CN=username,OU=group,DC=domain,DC=com"
> > indicating that the user should be authenticated by connecting to that ldap
> > account with the supplied password.
> >
> > This is just coming off the top of my head, so I need to think a little bit
> > more about the semantics of doing it this way, but I think we might be on to
> > something...
> >
> > Aaron
> >
> > eddy <eddy [at] 5687> said:
> >
> > > Eelco,
> > >
> > > I have completed the crypt hash password section. It can enhance the
> > > security. Even some one break into the database, he still don't know
> > > user's password. It also keep backword compatible with clear text
> > > password mode. The new password related function was :
> > >
> > > dbmail-adduser c foo -p passwd (storage foo's passward in clean text)
> > > dbmail-adduser c foo +p passwd (storage foo's password in hash mode)
> > > dbmail-adduser c foo -P (copy foo's password from /etc/shadow)
> > >
> > > Now it was suitable for all people. I want copy existing user's password
> > > and they need not remember another new password. A virtual user can create
> > > with enhanced security protection. 8)
> > >
> > > I have been consider using PAM function. However it need root rights to
> > > run the function. It may create potential security problem so I drop it.
> > >
> > > Ecnlosed was the c program I have amended. I have some remark begin with
> > > "/* eddy" to note the major change. The program in fact was copy from
> > > "b_pam" by bengie [at] fire and "cpu" by matheny [at] dbaseiv
> > > Please conside including it into your distribution.
> > >
> > > Regards,
> > > Eddy Lai
> > >
> > > On Mon, 25 Feb 2002, eddy wrote:
> > >
> > > > Eelco,
> > > >
> > > > Since I am planning to take over a 20G email system, I am immediate
> > > > facting the file size problem. I can't wait !!
> > > >
> > > > Another suggestion, I don't want to re-asign the password for all
users. I
> > > > looking for a solution to import existing hashed passwd from /etc/shadow
> > > > file into the "password" field. I suggest as following :
> > > >
> > > > - in the table user the password field keep the crypt hashed password in
> > > > form of "{crypt}:<hashed password value>"
> > > >
> > > > - the following program need to rewrite to reflect the changes:
> > > > dbmail-imapdB
> > > > - support crypt mode password
> > > > dbmail-pop3d
> > > > - support crypt mode password
> > > > dbmail-adduser
> > > > - add a flag to copy passwd from shadow file.
> > > > - add a flag to hash the clear text password
> > > >
> > > >
> > >
> > > --
> > > Eddy Lai
> > > http://www.5687.net/
> > >
> >
> >
> >
> > --
> >
> >
> >
> > _______________________________________________
> > Dbmail mailing list
> > Dbmail [at] dbmail
> > https://mailman.fastxs.nl/mailman/listinfo/dbmail
> >
>
>
>
> --
>
>
>
> _______________________________________________
> Dbmail mailing list
> Dbmail [at] dbmail
> https://mailman.fastxs.nl/mailman/listinfo/dbmail
>
--
|
dbmail.tgz
message-rfc822.eml
