Re: bug: ARGON2 hash selection incompatible with LDAP
"Michael Ströder" michael@stroeder.com – 15 November 2022 15:00
On 11/15/22 13:45, Krisztián Szegi wrote:
I'd like to report that non-binding auth to (Open)LDAP doesn't work if the latter hashes passwords with ARGON2. Could you please elaborate why using LDAP bind is a problem for you? Ciao, Michael.
Fair enough question! I cannot specify bind_dn template due to mismatched mail addresses and user DNs, and I thought that that would be suboptimal due to re-binding. I am a bit confused about how to optimize LDAP lookups now (static files not option :), re-reading the docs it just made me question more things
- auth_bind_dn cannot be given in my case, as a fixed starting point
- auth_bind adds a temporary binding (using pass_filter)
- can I use userdb prefetch? Docs say I cannot if I use bind with template, but I am not using the latter. So the search for the user's dn during auth IS the passdb lookup?
- assuming I am correct, I should give back stuff with passdb lookup: or do I? - Must I give back userid an guid? 10-mail.conf has "vmail" for both, as mail accounts don't have UNIX ones linked to them... - same for home? There is no default I've given until userdb lookup. Just specify a global mail_home with variables, and get on with life? -if I should give back one, should I pass it with default_fields = userdb_home (currently I specify it under default_fields:home in userdb lookup as LDAP doesn't override home).
The docs are confusing around userdb. The main thing what is not clear that they CAN override fields on a per-user basis, but must they provide them for non-extra fields, when there are global settings for those?
Thanks!
BTW, thanks for the great software all of you. Michael, I've come across some of your work, you have my respect!
On 15/11/2022 21:17 EET Krisztián Szegi k.git@mszk.eu wrote:
"Michael Ströder" michael@stroeder.com – 15 November 2022 15:00
On 11/15/22 13:45, Krisztián Szegi wrote:
I'd like to report that non-binding auth to (Open)LDAP doesn't work if the latter hashes passwords with ARGON2. Could you please elaborate why using LDAP bind is a problem for you? Ciao, Michael.
Fair enough question! I cannot specify bind_dn template due to mismatched mail addresses and user DNs, and I thought that that would be suboptimal due to re-binding. I am a bit confused about how to optimize LDAP lookups now (static files not option :), re-reading the docs it just made me question more things
- auth_bind_dn cannot be given in my case, as a fixed starting point
- auth_bind adds a temporary binding (using pass_filter)
- can I use userdb prefetch? Docs say I cannot if I use bind with template, but I am not using the latter. So the search for the user's dn during auth IS the passdb lookup?
prefetch userdb does not in fact fetch anything. It mainly looks if passdb result contains userdb_* field(s) and shortcuts the lookup there.
- assuming I am correct, I should give back stuff with passdb lookup: or do I? - Must I give back userid an guid? 10-mail.conf has "vmail" for both, as mail accounts don't have UNIX ones linked to them... - same for home? There is no default I've given until userdb lookup. Just specify a global mail_home with variables, and get on with life? -if I should give back one, should I pass it with default_fields = userdb_home (currently I specify it under default_fields:home in userdb lookup as LDAP doesn't override home).
The docs are confusing around userdb. The main thing what is not clear that they CAN override fields on a per-user basis, but must they provide them for non-extra fields, when there are global settings for those?
mail_home, mail_gid, mail_uid etc. can be just templated out in config file, providing them in userdb reply is optional.
If you don't need anything special for the userdb, it might already be enough to just have ldap passdb.
Thanks!
BTW, thanks for the great software all of you. Michael, I've come across some of your work, you have my respect!
Aki
"Krisztián Szegi" k.git@mszk.eu – 15 November 2022 20:18
"Michael Ströder" michael@stroeder.com – 15 November 2022 15:00
On 11/15/22 13:45, Krisztián Szegi wrote:
I'd like to report that non-binding auth to (Open)LDAP doesn't work if the latter hashes passwords with ARGON2. Could you please elaborate why using LDAP bind is a problem for you? Ciao, Michael. Fair enough question! I cannot specify bind_dn template due to mismatched mail addresses and user DNs, and I thought that that would be suboptimal due to re-binding. I am a bit confused about how to optimize LDAP lookups now (static files not option :), re-reading the docs it just made me question more things
- auth_bind_dn cannot be given in my case, as a fixed starting point
- auth_bind adds a temporary binding (using pass_filter)
- can I use userdb prefetch? Docs say I cannot if I use bind with template, but I am not using the latter. So the search for the user's dn during auth IS the passdb lookup?
- assuming I am correct, I should give back stuff with passdb lookup: or do I? - Must I give back userid an guid? 10-mail.conf has "vmail" for both, as mail accounts don't have UNIX ones linked to them... - same for home? There is no default I've given until userdb lookup. Just specify a global mail_home with variables, and get on with life? -if I should give back one, should I pass it with default_fields = userdb_home (currently I specify it under default_fields:home in userdb lookup as LDAP doesn't override home). The docs are confusing around userdb. The main thing what is not clear that they CAN override fields on a per-user basis, but must they provide them for non-extra fields, when there are global settings for those? Thanks! BTW, thanks for the great software all of you. Michael, I've come across some of your work, you have my respect!
On second though: I switched to auth_bind = yes, (I'll start a new thread on optimizing passdb and userdb, because the scattered documentation has some holes in it I think) but my patch is still needed - if I understand correctly - because I use postfix with dovecot as LMTP and auth backend.
participants (3)
-
Aki Tuomi
-
Krisztián Szegi
-
Krisztián Szegi