[horde] Getting horde to authenticate against dovecot DB
Michael J Rubinsky
mrubinsk at horde.org
Sun Aug 18 20:46:57 UTC 2019
Quoting Coy Hile <coy.hile at coyhile.com>:
> On 2019-08-17 10:21, Michael J Rubinsky wrote:
>> Quoting Coy Hile <coy.hile at coyhile.com>:
>>
>>> Hi all,
>>>
>>> I'm currently trying to get Horde to authenticate against my
>>> Dovecot virtual user database, as I want the ActiveSync
>>> functionality that is missing from other solutions. However, I'm
>>> having a hard time getting the passwords in a form that both
>>> Horde and Dovecot understand.
>>>
>>> In the dovecot DB, I have:
>>>
>>> username | domain |
>>> password
>>> ---------------+----------+--------------------------------------------------------------------------------------------------------------------------
>>> user at test.com | test.com |
>>> {SHA512-CRYPT}$6$8CK0YWwoEjEvhEwf$58UUMSvPL8fE1p50bfTjHqivp3iwmfk/2sbv9igUT0FhwRc548UaKDWBYCvgrOyDfT81u9dLEJ7ulHLFbvbSq/
>>>
>>>
>>> conf.php contains (in relevant part):
>>>
>>> $conf['auth']['params']['query_auth'] = 'SELECT * FROM users WHERE
>>> username=\L AND password=\P';
>>> $conf['auth']['params']['encryption'] = 'crypt-sha512';
>>> $conf['auth']['params']['show_encryption'] = false;
>>> $conf['auth']['driver'] = 'customsql';
>>>
>>> In syslog, one sees:
>>>
>>> Aug 16 21:39:23 8616546e-fcab-e37b-a25a-c746648411f7 HORDE:
>>> [horde] SQL (0.0014s) #012#011SELECT * FROM users WHERE
>>> username='user at test.com' AND#012#011
>>> password='$6$jCCF2GRqLkldtA6u$NMZosKqif68Ro0HjRTGy7Y/tqUuGEMYq.oZ5OqcX#012#011 NAC3PW7jMhsL.ZzdE67vjw6Bx6gIgoQh.d.3syBdYUC4j0' [pid 2321 on line 241 of
>>> "/usr/share/php/Horde/Db/Adapter/Pdo/Base.php"]
>>> Aug 16 21:39:23 8616546e-fcab-e37b-a25a-c746648411f7 HORDE:
>>> [horde] FAILED LOGIN for user at test.com to horde (10.100.9.20)
>>> [pid 2321 on line 198 of "/usr/share/horde/login.php"]
>>>
>>> So, that brings up some questions:
>>> (1) Is the data in the log actually correct? Why are there what
>>> appear to be "#012#011 " in the middle of the query?
>>> (2) Am I completely taking the wrong approach here? Is there a
>>> better way to get these two things to play nice, or do I have to
>>> finesse something in the SQL queries to make this work?
>>>
>>> I'll probably only use this as a front end to activesync, which
>>> will talk to the same Dovecot instance eventually.
>>
>>
>> You are probably missing the 'query_getpw' query. You need a query
>> that will load the password first, in order to get the salt before we
>> can verify the user provided password. Something like
>>
>> 'SELECT password FROM you_table WHERE username = \L'
>>
>> See towards the end of the following post for more info:
>>
>>
>> https://theupstairsroom.com/116
>>
>
>
> Following up on this, is there any work underway to support other
> salted SHA algorithms besides {SSHA} in horde? For example
> {SSHA512}, which is what I'd use given my choice over vanilla
> SHA512-CRYPT?
No one is working on this that I know of. However, adding support for
this, related to auth password, shouldn't be too difficult, since PHP
does support SHA-512 hashes.
> My use case is to bring horde-activesync in (on its own VMs) for
> mobile (and Outlook/Mail.app functionality); I've used it in the
> past. However, the last time I rebuilt my webmail tier, I used
> roundcube; it seemed lighter, and more importantly, it existed as an
> entity in pkgsrc, so I dodn't have to do a large manual installation
> process. I guess part of the problem I'm running into is that while
> Horde actively attempts to manage users, other platforms just like
> the IMAP backend handle that and just has tables with the login name
> for things like preferences and the like.
>
> But I think you are spot on that I need to do a bunch of work in the
> postgres query to get the hashed, salted password into the form that
> Dovecot expects.
You shouldn't need a "bunch" of work. Assuming your table structure
and data you posted are correct, the query I posted should be all that
you need, and possibly setting the 'show_encryption' value correctly.
> --
> Coy Hile
> coy.hile at coyhile.com
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 9272 bytes
Desc: PGP Public Key
URL: <https://lists.horde.org/archives/horde/attachments/20190818/926fbafe/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 821 bytes
Desc: PGP Digital Signature
URL: <https://lists.horde.org/archives/horde/attachments/20190818/926fbafe/attachment-0001.bin>
More information about the horde
mailing list