[enhancement]: Implement FreeIPA password hash algorithm

[DodoLeDev]

Which feature or improvement would you like to request?

Stalwart officially supports the PBKDF hash algorithm, and FreeIPA uses it as default.

It would be awesome to make Stalwart working flawlessly with this LDAP provider.

Is your feature request related to a problem?

However, Stalwart don't understand FreeIPA password hash syntax.

As we can see here, The {PBKDF2} prefix is understood, but FreeIPA uses {PBKDF-SHA1}, {PBKDF-SHA256}, {PBKDF-SHA512}, which ends up throwing an Unsupported password hash algorithm error.

There should not have a lot of effort to provide, because these encryption algorithms are supported by the concerned crate.

I hope to see it soon!

P.-S. : I am currently working on implementing it by myself, and a PR will arrive soon, but because it's my first time with Rust, the code will probably be clumsy

Code of Conduct

• I agree to follow this project's Code of Conduct

[DodoLeDev]

PR ready!

[Alcorio]

PR ready!

Hello, I used the code you submitted in #539 and added these two parts of the code to the project's source code. I compiled and released it using "cargo build --release". I then used the generated stalwart-mail.exe and connected it to my LDAP server. However, I still encountered an error similar to the following during login:

ERROR Authentication error (auth.error) listenerId = "http", localPort = 8081, remoteIp = 192.168.0.108, remotePort = 63129, reason = Unsupported algorithm, details = "$pbkdf2-sha512$25000$dj99... causedBy = crates\directory\src\core\dispatch.rs:30

Were you able to successfully resolve this issue with your code?

[Alcorio]

Thank you. I have resolved the issue I encountered. Instead of modifying the source code for compilation, I used the code you submitted to change the password format from:

$pbkdf2-sha512$25000$eEnPDAz4PF.HcsJFkx5iUw$RN4oO....

to

$pbkdf2-sha512$i=25000,l=64$eEnPDAz4PF.HcsJFkx5iUw$RN4oO....

With this change, Stalwart no longer reports the "Unsupported algorithm" error and allows normal login.

I also encountered a minor issue: it seems that Stalwart uses standard Base64 encoding, whereas variant Base64 replaces certain characters. Conversion to standard Base64 is required for it to work properly. It would be great if future updates of Stalwart could support these variations.

[mdecimus]

I'm not familiar with FreeIPA but does it support LDAP bind authentication? If so you can configure Stalwart to use bind auth and delegate the password hash validation to FreeIPA.

[cpollmann]

@mdecimus Yes FreeIPA supports bind authentication and I dont have any issues with my setup.

Settings I changed:

Url: ldaps://ipa01.example.com:636
Base DN: cn=users,cn=accounts,dc=example,dc=com

Bind Auth DN: uid=?,cn=users,cn=accounts,dc=example,dc=com

[DodoLeDev]

@cpollmann Even with your setup, I am currently facing the following issue:

ERROR Authentication error (auth.error) listenerId = "https", localPort = *****, remoteIp = *******, remotePort = ******, details = Authentication error (auth.error) { details = Account does not contain secrets, causedBy = crates/common/src/auth/oauth/token.rs:239, causedBy = crates/common/src/auth/oauth/token.rs:53 }, causedBy = crates/jmap/src/auth/oauth/token.rs:129