Am 01.12.21 um 08:00 schrieb Ulrich Windl:
But isn't the real question whether clients using MD5 can handle ARGON2?
Hello Ulrich,
no, it isn't. MD5 was an example only. mostly I see {SHA} and {SSHA}
Let me explain my understanding of operating an identity-provider.
- identity-provider = OpenLDAP-Server - service-provider = dovecot / apache/nginx for example - client = MUA / Webbrowser - any connections between client and service-provider as well as between service-provider and identity-provider is encrypted - service-provider validating a password get a plaintext password from a client and transfer it to the identity-provider The response is only Yes/No = password was right or wrong -> no service-provider must handle any hashing scheme for that job - service-provider setting a new password get a plaintext password from a client and transfer it to the identity provider -> no service-provider must handle any hashing scheme for that job - for the identity provider there are only two types of access to an attribute 'userPassword': compare/authenticate and write. User's passwords are always transferred un-hashed /to/ the identity-provider. - the identity-provider takes care for calculations and storage of that hash.
Is this model correct?
And as part of this model I like to avoid any service-provider write a local pre-hashed userPassword
Andreas