authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Support LDAP userPassword (hashed)

Open markus-seidl opened this issue 2 years ago • 3 comments

Is your feature request related to a problem? Please describe. As far as I understand delivering the userPassword via LDAP is not supported. This is needed for fast dovecot ldap authorisation, when oauth isn't viable. ( https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups ) Dovecot supports delivering hashed passwords, which might be a viable option instead of doing plaintext passwords (which, as I understand, authentik doesn't support).

Describe the solution you'd like Deliver sha encrypted passwords, ideally this would be configured (maybe other servers require different settings?)

Describe alternatives you've considered Dovecot has authentication binds, which are "slower" and sometimes not exposed as default configuration (for example as in the docker-mailserver https://docker-mailserver.github.io/docker-mailserver )

Additional context

markus-seidl avatar Feb 13 '22 04:02 markus-seidl

So to be clear, this is describing the authentik LDAP Outpost delivering hashed passwords, and not LDAP authentication against an existing server?

sevmonster avatar Feb 27 '22 06:02 sevmonster

Exactly. I wanted to use dovecot, which handles authentication itself ("performantly") if it knows the hash from authentik.

markus-seidl avatar Mar 14 '22 16:03 markus-seidl

This would also be helpful for me.

clstrickland avatar May 06 '22 00:05 clstrickland

I just came with the same situation when setting up Synology NAS with authentik's ldap outpost. Is there any plan to implement this feature?

ZacharyJia avatar May 14 '23 10:05 ZacharyJia

With the cached binding the speed of the actual bind should be less of an issue, but aside from that, this is possible to do with policies. We've made the choice for the sake of security to not document certain ways that make it easy to potentially insecurely handle password even if they are possible to prevent people from accidentally doing so without being aware of the consequences

BeryJu avatar Jun 15 '23 15:06 BeryJu

@BeryJu it should be quite obvious that that's an extremely unhelpful answer.

This issue is about providing the userPassword LDAP attribute (ref RFC 2307) for LDAP clients that perform hashed password comparisons instead of performing LDAP binds.

I can see no way from the existing documentation that would allow policies to provide this functionality.

pdf avatar Jun 15 '23 22:06 pdf