> On 15/11/2022 14:45 EET Krisztián Szegi <oni-d...@mszk.eu> wrote: > > > Good day to all, > > this is my first post to the mailing list! > > I'd like to report that non-binding auth to (Open)LDAP doesn't work if the > latter hashes passwords with ARGON2. > > Although dovecot (I am using http://2.3.19.1) does support ARGON2 with > libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$" > stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP. > > Now, I understand that ARGON2I, -D, and -ID are not compatible, but the > ACTUAL algorithm is there between the two $. > Furthermore, I think dovecot is in the minority here, I haven't met any > software that specifies the ARGON2 subtype between {}. > BTW, I haven't met any software that hashes passwords with ARGON2, but not > with the ARGON2ID subtype (where libsodium is available, which also seems to > be the standard here), as THAT is the recommended one anyway. > > I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}: > https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch > > Could we get something like this (but maybe more correct) into the official > source? > Maybe a config switch to alias it runtime? > > Thanks for the attention: > Krisztián
Hi! Thanks for your report. I think it makes sense, we'll see what we can do about this. Aki