Yes, that is correct, and by design. We do not store a hash of the user's password, only enough data to have an interactive zero-knowledge proof that the user has the same password than when he registered

ah, right, the opaque thing (:) thx)

Haha hopefully not!

Ah! I forgot this. Ok, i'm gonna try to write the simplest config i can for pam_ldap and report back if it works

After 30s of reading, it seems like setting up pam (with sssd maybe?) to authenticate to LLDAP, and then using that for opensmtpd would be the way to go

indeed, that's what they seem to prefer (i looked into the ldap-table thing, but it's brittle and weird and kindof not for this)

If you need help setting it up, getting the attributes working, feel free to ask

Hey, i got back to working on this again and finally got it to work (at least with pamtester, will do the real test with opensmtpd tomorrow). Custom attributes weren't needed (very glad!), the only pitfall is to disable some ldap extension for password policy (control oid 1.3.6.1.4.1.42.2.27.8.5.1).

pam_authc_ppolicy no

in

/etc/nslcd.conf

. The rest is straitforward. I'll try to contribute an example config for this soon (when my config gets stablized)

Oh, wow, we can get PAM without custom attributes? That's great news 🎉

Yes indeed! I guess it will confuse a lot of pam users (like logind) because without custom attributes there will be missing env vars, but for basic users of the

auth

chain it should work