Strip {CRYPT} and {BLF-CRYPT} Prefixes in LDAP Credentials for OpenSMTPD Compatibility #2
Description
Hi,
Many LDAP setups store passwords with {CRYPT} or {BLF-CRYPT} prefixes, which are commonly used by Dovecot, Roundcube (password plugin), and are required by OpenBSD's ldapd for user authentication (ldapd(8)).
OpenSMTPD, however, expects Blowfish-hashed passwords without prefixes, causing authentication failures.
This patch modifies ldap_lookup_entry() to strip these prefixes before returning the password, ensuring compatibility with LDAP directories while keeping OpenSMTPD behavior unchanged.
Index: table_ldap.c
--- table_ldap.c.orig
+++ table_ldap.c
@@ -276,6 +276,13 @@ ldap_lookup_entry(const struct request *req, const struct aldap_message *m)
if (aldap_match_attr(m, q->attrs[1], &attr) == -1)
break;
if (attr->len > 1)
log_warnx("req \"%s\" returned more than one attr \"%s\"", req->key, q->attrs[1]);
+ /* Remove {CRYPT} or {BLF-CRYPT} prefix if present */
+ if (strncmp(attr->str[1].ostr_val, "{CRYPT}", 7) == 0)
+ attr->str[1].ostr_val += 7;
+ else if (strncmp(attr->str[1].ostr_val, "{BLF-CRYPT}", 11) == 0)
+ attr->str[1].ostr_val += 11;
+
if (strlcat(tmp, attr->str[1].ostr_val, sizeof(tmp)) >= sizeof(tmp))
break;
Regards,
RZ