> On 15/11/2022 14:45 EET Krisztián Szegi <oni-d...@mszk.eu> wrote:
> 
>  
> Good day to all,
>  
> this is my first post to the mailing list!
>  
> I'd like to report that non-binding auth to (Open)LDAP doesn't work if the 
> latter hashes passwords with ARGON2.
>  
> Although dovecot (I am using http://2.3.19.1) does support ARGON2 with 
> libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$" 
> stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP.
>  
> Now, I understand that ARGON2I, -D, and -ID are not compatible, but the 
> ACTUAL algorithm is there between the two $.
> Furthermore, I think dovecot is in the minority here, I haven't met any 
> software that specifies the ARGON2 subtype between {}.
> BTW, I haven't met any software that hashes passwords with ARGON2, but not 
> with the ARGON2ID subtype (where libsodium is available, which also seems to 
> be the standard here), as THAT is the recommended one anyway.
> 
> I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
> https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
>  
> Could we get something like this (but maybe more correct) into the official 
> source?
> Maybe a config switch to alias it runtime?
>  
> Thanks for the attention:
> Krisztián
Hi!

Thanks for your report. I think it makes sense, we'll see what we can do about 
this.

Aki

Reply via email to