bug: ARGON2 hash selection incompatible with LDAP

[Krisztián Szegi]

"Michael Ströder" michael at stroeder.com – 15 November 2022 15:00
> On 11/15/22 13:45, Krisztián Szegi wrote:
>> I'd like to report that non-binding auth to (Open)LDAP doesn't work
>> if the latter hashes passwords with ARGON2.
> Could you please elaborate why using LDAP bind is a problem for you?
>  
> Ciao, Michael.
>  
> 
 
Fair enough question!
 
I cannot specify bind_dn template due to mismatched mail addresses and user DNs, and I thought that that would be suboptimal due to re-binding.
I am a bit confused about how to optimize LDAP lookups now (static files not option :), re-reading the docs it just made me question more things
- auth_bind_dn cannot be given in my case, as a fixed starting point
- auth_bind adds a temporary binding (using pass_filter)
- can I use userdb prefetch? Docs say I cannot if I use bind with template, but I am not using the latter. So the search for the user's dn during auth IS the passdb lookup?
- assuming I am correct, I should give back stuff with passdb lookup: or do I?
  - Must I give back userid an guid? 10-mail.conf has "vmail" for both, as mail accounts don't have UNIX ones linked to them...
  - same for home? There is no default I've given until userdb lookup. Just specify a global mail_home with variables, and get on with life?
  -if I should give back one, should I pass it with default_fields = userdb_home (currently I specify it under default_fields:home in userdb lookup as LDAP doesn't override home).

The docs are confusing around userdb. The main thing what is not clear that they CAN override fields on a per-user basis, but must they provide them for non-extra fields, when there are global settings for those?

Thanks!

BTW, thanks for the great software all of you.
Michael, I've come across some of your work, you have my respect!