authentik
authentik copied to clipboard
Support LDAP userPassword (hashed)
Is your feature request related to a problem? Please describe. As far as I understand delivering the userPassword via LDAP is not supported. This is needed for fast dovecot ldap authorisation, when oauth isn't viable. ( https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups ) Dovecot supports delivering hashed passwords, which might be a viable option instead of doing plaintext passwords (which, as I understand, authentik doesn't support).
Describe the solution you'd like Deliver sha encrypted passwords, ideally this would be configured (maybe other servers require different settings?)
Describe alternatives you've considered Dovecot has authentication binds, which are "slower" and sometimes not exposed as default configuration (for example as in the docker-mailserver https://docker-mailserver.github.io/docker-mailserver )
Additional context
So to be clear, this is describing the authentik LDAP Outpost delivering hashed passwords, and not LDAP authentication against an existing server?
Exactly. I wanted to use dovecot, which handles authentication itself ("performantly") if it knows the hash from authentik.
This would also be helpful for me.
I just came with the same situation when setting up Synology NAS with authentik's ldap outpost. Is there any plan to implement this feature?
With the cached binding the speed of the actual bind should be less of an issue, but aside from that, this is possible to do with policies. We've made the choice for the sake of security to not document certain ways that make it easy to potentially insecurely handle password even if they are possible to prevent people from accidentally doing so without being aware of the consequences
@BeryJu it should be quite obvious that that's an extremely unhelpful answer.
This issue is about providing the userPassword
LDAP attribute (ref RFC 2307) for LDAP clients that perform hashed password comparisons instead of performing LDAP binds.
I can see no way from the existing documentation that would allow policies to provide this functionality.