bug: ARGON2 hash selection incompatible with LDAP
Krisztián Szegi
oni-dono at mszk.eu
Wed Nov 16 10:54:55 UTC 2022
"Krisztián Szegi" k.git at mszk.eu – 15 November 2022 20:18
> "Michael Ströder" michael at stroeder.com – 15 November 2022 15:00
> > On 11/15/22 13:45, Krisztián Szegi wrote:
> >> I'd like to report that non-binding auth to (Open)LDAP doesn't work
> >> if the latter hashes passwords with ARGON2.
> > Could you please elaborate why using LDAP bind is a problem for you?
> >
> > Ciao, Michael.
> >
> >
>
> Fair enough question!
>
> I cannot specify bind_dn template due to mismatched mail addresses and user DNs, and I thought that that would be suboptimal due to re-binding.
> I am a bit confused about how to optimize LDAP lookups now (static files not option :), re-reading the docs it just made me question more things
> - auth_bind_dn cannot be given in my case, as a fixed starting point
> - auth_bind adds a temporary binding (using pass_filter)
> - can I use userdb prefetch? Docs say I cannot if I use bind with template, but I am not using the latter. So the search for the user's dn during auth IS the passdb lookup?
> - assuming I am correct, I should give back stuff with passdb lookup: or do I?
> - Must I give back userid an guid? 10-mail.conf has "vmail" for both, as mail accounts don't have UNIX ones linked to them...
> - same for home? There is no default I've given until userdb lookup. Just specify a global mail_home with variables, and get on with life?
> -if I should give back one, should I pass it with default_fields = userdb_home (currently I specify it under default_fields:home in userdb lookup as LDAP doesn't override home).
>
> The docs are confusing around userdb. The main thing what is not clear that they CAN override fields on a per-user basis, but must they provide them for non-extra fields, when there are global settings for those?
>
> Thanks!
>
> BTW, thanks for the great software all of you.
> Michael, I've come across some of your work, you have my respect!
>
On second though:
I switched to auth_bind = yes, (I'll start a new thread on optimizing passdb and userdb, because the scattered documentation has some holes in it I think) but my patch is still needed - if I understand correctly - because I use postfix with dovecot as LMTP and auth backend.
More information about the dovecot
mailing list