bug: ARGON2 hash selection incompatible with LDAP

Aki Tuomi aki.tuomi at open-xchange.com
Tue Nov 15 12:55:01 UTC 2022


> On 15/11/2022 14:45 EET Krisztián Szegi <oni-dono at mszk.eu> wrote:
> 
>  
> Good day to all,
>  
> this is my first post to the mailing list!
>  
> I'd like to report that non-binding auth to (Open)LDAP doesn't work if the latter hashes passwords with ARGON2.
>  
> Although dovecot (I am using http://2.3.19.1) does support ARGON2 with libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$" stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP.
>  
> Now, I understand that ARGON2I, -D, and -ID are not compatible, but the ACTUAL algorithm is there between the two $.
> Furthermore, I think dovecot is in the minority here, I haven't met any software that specifies the ARGON2 subtype between {}.
> BTW, I haven't met any software that hashes passwords with ARGON2, but not with the ARGON2ID subtype (where libsodium is available, which also seems to be the standard here), as THAT is the recommended one anyway.
> 
> I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
> https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
>  
> Could we get something like this (but maybe more correct) into the official source?
> Maybe a config switch to alias it runtime?
>  
> Thanks for the attention:
> Krisztián

Hi!

Thanks for your report. I think it makes sense, we'll see what we can do about this.

Aki


More information about the dovecot mailing list