Good day to all,
this is my first post to the mailing list!
I'd like to report that non-binding auth to (Open)LDAP doesn't work if the
latter hashes passwords with ARGON2.
Although dovecot (I am using http://2.3.19.1) does support ARGON2 with
libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$"
stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP.
Now, I understand that ARGON2I, -D, and -ID are not compatible, but the ACTUAL
algorithm is there between the two $.
Furthermore, I think dovecot is in the minority here, I haven't met any
software that specifies the ARGON2 subtype between {}.
BTW, I haven't met any software that hashes passwords with ARGON2, but not with
the ARGON2ID subtype (where libsodium is available, which also seems to be the
standard here), as THAT is the recommended one anyway.
I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
Could we get something like this (but maybe more correct) into the official
source?
Maybe a config switch to alias it runtime?
Thanks for the attention:
Krisztián
