-
-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with recognizing certain hashed passwords in LDAP #8
Comments
Please check to the documentation explaining the supported password hashing schemes and their prefixes. Basically. the Which management system or LDAP directory is storing Argon2 passwords as |
I’m using OpenLDAP and I’m not sure if that’s just unique to how they store passwords or not. I never had issues with Dovecot but that was because I previously was using user auth binds for password verification as opposed to reading the password attribute and comparing. Looking through some Dovecot commits, it looks like they do actually support the scheme being in brackets, which I do understand is redundant. |
OpenLDAP only documents a few password hashing schemes but I found that the Argon2 plugin does add a prefix between curly brackets. No problem, I'll add now support for that now. |
The latest version on the repo should fix this. It also has an updated Could you pull the latest version from the repository and build the image locally to make sure everything works? I'm asking this because the Github CI action emulates ARM64 with QEMU and takes 6 hours to build the ARM64 Docker images. |
Looks like it's working! Thanks! |
I'm currently running the official docker arm64 container, trying to get Stalwart to work with an OpenLDAP directory that has passwords hashed with argon2.
Trying to auth against some of these accounts, I get the following error logged from Stalwart:
WARN directory::secret: Unsupported password hash algorithm context="directory" event="error" algorithm="ARGON2"
I took a peek through the relevant source and it looks like it isn't able to evaluate/match the passwords to argon2 because OpenLDAP stores the passwords differently than expected by Stalwart. I see a condition that checks if the password starts with $argon2 but OpenLDAP generally stores it's passwords with the algorithm stored within brackets, followed by the password/hash after that.
An example of a password stored in OpenLDAP in this format would be the following:
{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$xRd2axJow818R4IVEjqdbg$y3Mm4pHnPEh/5PgyU+SWRCj9M44vY45hejY3RSdE72Y
It also looks like there are some types of crypt that would fall into a similar pit, i.e.:
{CRYPT}$6$rounds=50000$4XSqWr3MK8MtGRs$cz6fsr6uqwU5tDLhrnZRCra.xmuOm.lsZKeybuytG3jTE8pwP45j29NHP/C15ejdRXp0ZIqppIH2vm4jYTy/S1
{CRYPT}$6$$ek/ucQg0IM8SQLyD2D66mpoW0vAF26eA0/pqoN95V.F0nZh1IFuENNo0OikacRkDBk5frNqziMYMdVVrQ0o.51
{CRYPT}$1$$IqH.8BV8l9Uhl3qbv9FMq/
{CRYPT}$5$$zuuTJtok6EzzyDhHOum0I1x.ucYLJxAGeQgHLQ/ohK0
Thanks!
The text was updated successfully, but these errors were encountered: