Hi,
I have been trying to set up authorization via keycloak (where keycloak has user federation set up to LightLDAP lldap). It works for webmail login - redirects to keycloak and logs the user in, creates the mailbox etc. But does not authenticate with a mail client calling directly against the IMAP server (for example). I have been following the instructions here: https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-keycloak/ and believe that I must set up mailcow_password for this to work, and have been struggling to understand how to create the mapper for the LDAP userPassword in keycloak (which I can then map to mailcow_password). I found this though in the LLDAP documentation:
Finally, some services require password hashes so they can validate themselves the user’s password without contacting LLDAP. This is not and will not be supported, it’s incompatible with our password hashing scheme (a zero-knowledge proof). Furthermore, it’s generally not recommended in terms of security, since it duplicates the places from which a password hash could leak.
So wanted to check - does this mean I’m out of luck with this, if I want to have users authenticating etc. via (for example) a Thunderbird mail client against IMAP, I will have to replace the LDAP server with something else?
Thanks,
Eoin.