bug: ARGON2 hash selection incompatible with LDAP
Aki Tuomi
aki.tuomi at open-xchange.com
Wed Nov 16 08:55:10 UTC 2022
> On 15/11/2022 21:17 EET Krisztián Szegi <k.git at mszk.eu> wrote:
>
>
> "Michael Ströder" michael at stroeder.com – 15 November 2022 15:00
> > On 11/15/22 13:45, Krisztián Szegi wrote:
> >> I'd like to report that non-binding auth to (Open)LDAP doesn't work
> >> if the latter hashes passwords with ARGON2.
> > Could you please elaborate why using LDAP bind is a problem for you?
> >
> > Ciao, Michael.
> >
> >
>
> Fair enough question!
>
> I cannot specify bind_dn template due to mismatched mail addresses and user DNs, and I thought that that would be suboptimal due to re-binding.
> I am a bit confused about how to optimize LDAP lookups now (static files not option :), re-reading the docs it just made me question more things
> - auth_bind_dn cannot be given in my case, as a fixed starting point
> - auth_bind adds a temporary binding (using pass_filter)
> - can I use userdb prefetch? Docs say I cannot if I use bind with template, but I am not using the latter. So the search for the user's dn during auth IS the passdb lookup?
prefetch userdb does not in fact fetch anything. It mainly looks if passdb result contains userdb_* field(s) and shortcuts the lookup there.
> - assuming I am correct, I should give back stuff with passdb lookup: or do I?
> - Must I give back userid an guid? 10-mail.conf has "vmail" for both, as mail accounts don't have UNIX ones linked to them...
> - same for home? There is no default I've given until userdb lookup. Just specify a global mail_home with variables, and get on with life?
> -if I should give back one, should I pass it with default_fields = userdb_home (currently I specify it under default_fields:home in userdb lookup as LDAP doesn't override home).
>
> The docs are confusing around userdb. The main thing what is not clear that they CAN override fields on a per-user basis, but must they provide them for non-extra fields, when there are global settings for those?
mail_home, mail_gid, mail_uid etc. can be just templated out in config file, providing them in userdb reply is optional.
If you don't need anything special for the userdb, it might already be enough to just have ldap passdb.
>
> Thanks!
>
> BTW, thanks for the great software all of you.
> Michael, I've come across some of your work, you have my respect!
Aki
More information about the dovecot
mailing list