You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many LDAP setups store passwords with {CRYPT} or {BLF-CRYPT} prefixes, which are commonly used by Dovecot, Roundcube (password plugin), and are required by OpenBSD's ldapd for user authentication (ldapd(8)).
OpenSMTPD, however, expects Blowfish-hashed passwords without prefixes, causing authentication failures.
This patch modifies ldap_lookup_entry() to strip these prefixes before returning the password, ensuring compatibility with LDAP directories while keeping OpenSMTPD behavior unchanged.
Index: table_ldap.c
--- table_ldap.c.orig
+++ table_ldap.c
@@ -276,6 +276,13 @@ ldap_lookup_entry(const struct request *req, const struct aldap_message *m)
if (aldap_match_attr(m, q->attrs[1], &attr) == -1)
break;
if (attr->len > 1)
log_warnx("req \"%s\" returned more than one attr \"%s\"", req->key, q->attrs[1]);
+ /* Remove {CRYPT} or {BLF-CRYPT} prefix if present */
+ if (strncmp(attr->str[1].ostr_val, "{CRYPT}", 7) == 0)
+ attr->str[1].ostr_val += 7;
+ else if (strncmp(attr->str[1].ostr_val, "{BLF-CRYPT}", 11) == 0)
+ attr->str[1].ostr_val += 11;
+
if (strlcat(tmp, attr->str[1].ostr_val, sizeof(tmp)) >= sizeof(tmp))
break;
Regards,
RZ
The text was updated successfully, but these errors were encountered:
Hi,
Many LDAP setups store passwords with {CRYPT} or {BLF-CRYPT} prefixes, which are commonly used by Dovecot, Roundcube (password plugin), and are required by OpenBSD's ldapd for user authentication (ldapd(8)).
OpenSMTPD, however, expects Blowfish-hashed passwords without prefixes, causing authentication failures.
This patch modifies ldap_lookup_entry() to strip these prefixes before returning the password, ensuring compatibility with LDAP directories while keeping OpenSMTPD behavior unchanged.
Regards,
RZ
The text was updated successfully, but these errors were encountered: