Issue with recognizing certain hashed passwords in LDAP

[sirrkitt]

I'm currently running the official docker arm64 container, trying to get Stalwart to work with an OpenLDAP directory that has passwords hashed with argon2.

Trying to auth against some of these accounts, I get the following error logged from Stalwart:
WARN directory::secret: Unsupported password hash algorithm context="directory" event="error" algorithm="ARGON2"

I took a peek through the relevant source and it looks like it isn't able to evaluate/match the passwords to argon2 because OpenLDAP stores the passwords differently than expected by Stalwart. I see a condition that checks if the password starts with $argon2 but OpenLDAP generally stores it's passwords with the algorithm stored within brackets, followed by the password/hash after that.

An example of a password stored in OpenLDAP in this format would be the following:
{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$xRd2axJow818R4IVEjqdbg$y3Mm4pHnPEh/5PgyU+SWRCj9M44vY45hejY3RSdE72Y

It also looks like there are some types of crypt that would fall into a similar pit, i.e.:

{CRYPT}$6$rounds=50000$4XSqWr3MK8MtGRs$cz6fsr6uqwU5tDLhrnZRCra.xmuOm.lsZKeybuytG3jTE8pwP45j29NHP/C15ejdRXp0ZIqppIH2vm4jYTy/S1

{CRYPT}$6$$ek/ucQg0IM8SQLyD2D66mpoW0vAF26eA0/pqoN95V.F0nZh1IFuENNo0OikacRkDBk5frNqziMYMdVVrQ0o.51

{CRYPT}$1$$IqH.8BV8l9Uhl3qbv9FMq/

{CRYPT}$5$$zuuTJtok6EzzyDhHOum0I1x.ucYLJxAGeQgHLQ/ohK0

Thanks!

[mdecimus]

Please check to the documentation explaining the supported password hashing schemes and their prefixes.

Basically. the {} prefix is expected when the hashing algorithm does not have a unique prefix, for example {SHA} or {SSHA}. In the case of Argon and other encryption/hashing algorithms, they already have their own unique prefixes (for example, $argon2) and they should be stored without a {} prefix. This was done to have compatibility with other mail systems such as Dovecot that use the same hashing schemes.

Which management system or LDAP directory is storing Argon2 passwords as {ARGON2}$argon2id$?

[sirrkitt]

I’m using OpenLDAP and I’m not sure if that’s just unique to how they store passwords or not.

I never had issues with Dovecot but that was because I previously was using user auth binds for password verification as opposed to reading the password attribute and comparing.

Looking through some Dovecot commits, it looks like they do actually support the scheme being in brackets, which I do understand is redundant.

[mdecimus]

OpenLDAP only documents a few password hashing schemes but I found that the Argon2 plugin does add a prefix between curly brackets.

No problem, I'll add now support for that now.

[mdecimus]

The latest version on the repo should fix this. It also has an updated Dockerfile that adds the CA certificates to the image.

Could you pull the latest version from the repository and build the image locally to make sure everything works? I'm asking this because the Github CI action emulates ARM64 with QEMU and takes 6 hours to build the ARM64 Docker images.

[sirrkitt]

Looks like it's working! Thanks!