Am 01.12.21 um 08:00 schrieb Ulrich Windl:
> But isn't the real question whether clients using MD5 can handle ARGON2?
Hello Ulrich,
no, it isn't. MD5 was an example only. mostly I see {SHA} and {SSHA}
Let me explain my understanding of operating an identity-provider.
- identity-provider = OpenLDAP-Server
- service-provider = dovecot / apache/nginx for example
- client = MUA / Webbrowser
- any connections between client and service-provider as well as between
service-provider and identity-provider is encrypted
- service-provider validating a password get a plaintext password from a client
and transfer it to the identity-provider
The response is only Yes/No = password was right or wrong
-> no service-provider must handle any hashing scheme for that job
- service-provider setting a new password get a plaintext password from a client
and transfer it to the identity provider
-> no service-provider must handle any hashing scheme for that job
- for the identity provider there are only two types of access to an attribute
'userPassword':
compare/authenticate and write.
User's passwords are always transferred un-hashed /to/ the identity-provider.
- the identity-provider takes care for calculations and storage of that hash.
Is this model correct?
And as part of this model I like to avoid any service-provider write a local
pre-hashed userPassword
Andreas
