Build OpenLDAP pw-argon2 module for Argon2 key derivation function

[ghen2]

Update libsodium to 1.0.18 and OpenLDAP to 2.4.50 to include argon2 support.

See https://en.wikipedia.org/wiki/Argon2 for more information, and contrib/slapd-modules/passwd/argon2/README for OpenLDAP specific notes.

olcPasswordHash can be set to {ARGON2} (from current {SSHA512}) to use argon2 password hashes by default.

Tested on Centos 7. Debian build scripts adjusted but not validated.

[quanah]

OpenLDAP 2.4.50 is not safe to use with replication, update must be to 2.4.56 or later. See my pull request for updating to 2.4.56.

[ghen2]

@quanah You're still missing some bits in #118, like 1d9de9d?

[quanah]

I was simply updating the multival patch. I assume the Zimbra developers can maintain the rest of the system, which is what I was told when I quit 4 years ago.

[ghen2]

For clarity, this pull request is a complete upgrade to OpenLDAP to 2.4.56, with Argon2 support added (which requires newer libsodium as well).

[quanah]

You may want to change the default password hash in the configs to argon2 as well, so as passwords change they automatically make use of it. The SSHA2 pw module will continue to need to be loaded, but doesn't need to be the default.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
3 out of 4 committers have signed the CLA.

✅ ghen2
✅ quanah
✅ umagmrit
❌ Prashantsurana

---

Prashantsurana seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[ghen2]

PR has been updated for OpenLDAP 2.5.13, where pw-argon2 is now a standard release module, no longer a contrib module. Only needs --with-argon2 (and more recent libsodium).

[umagmrit]

@ghen2 if we add pw-argon2 module, what will be the default password hash ? We don't want to change the current password hash. Could you please also share impacted areas and testing scope of this new module ?

[ghen2]

This PR only builds the argon2 module, it is not loaded or used by default. SSHA512 is still the default password hash.

OpenLDAP cn=config needs to be changed in two places: olcModuleLoad to load the argon2 module, and olcPasswordHash to use it by default for new passwords.

See the migrate20140728-AddSSHA512.pl script where the pw-sha2 module and SSHA512 default were introduced.

[quanah]

It would be necessary to ensure that the SSHA512 module continues to be loaded in slapd so the existing hashes continue to function, but I agree switching to ARGON2 is critical. I would note that the argon2 library (vs libsodium) offers more configuration options for the hashes, which may be desirable, but adds another library to the zimbra buildout.