diff --git a/howto/ldap.md b/howto/ldap.md
index e42751d9e4d7a6a1ba20b2b239030bca1b639c86..350e1a50029c84a53bfe477d978ce5e92c7b725d 100644
--- a/howto/ldap.md
+++ b/howto/ldap.md
@@ -862,6 +862,7 @@ one subdirectory per host.
| `mail-whitelist` | ? | mailWhitelist |
| `markers` | xearth geolocation markers, unless `NOMARKERS` in `extraOptions` | `latitude`, `longitude` |
| `passwd.tbd` | `passwd` file template, if `loginShell` is set and user has access | `uid`, `uidNumber`, `gidNumber`, `gecos`, `loginShell` |
+| `mail-passwords` | secondary password for mail authentication | `uid`, `mailPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
| `rtc-passwords` | secondary password for RTC calls | `uid`, `rtcPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
| `shadow.tdb` | `shadow` file template, same as `passwd.tdb`, if `NOPASSWD` not in `extraOptions` | `uid`, `uidNumber`, `userPassword`, `shadowExpire`, `shadowLastChange`, `shadowMin`, `shadowMax`, `shadowWarning`, `shadowInactive` |
| `ssh-gitolite` | `authorized_keys` file for `gitolite`, if `GITOLITE` in `exportOptions` | `uid`, `sshRSAAuthKey` |
@@ -985,7 +986,7 @@ obviously distributes authentication systems all over the place:
* PAM and NSS usernames and passwords
* SSH user authentication keys
* SSH server public keys
- * `webPassword`, `rtcPassword` and so on
+ * `webPassword`, `rtcPassword`, `mailPassword`, and so on
* email forwards and email block list checks
* DNS zone files (which may include things like SSH server public
keys, for example)
@@ -1032,6 +1033,7 @@ modified or deleted by the user through the email interface
| `mailRHSBL` | set of RHSBLs to use |
| `mailWhitelist` | sender envelopes to whitelist |
| `mailDisableMessage` | message to bounce messages with to disable an email account |
+| `mailPassword` | [crypt(3)][]-hashed password used for email authentication |
| `rtcPassword` | previously used in XMPP authentication, unused |
| `samba*` | many samba fields, unused |
| `shadowExpire` | `1` if the account is expired |
@@ -1048,6 +1050,7 @@ modified or deleted by the user through the email interface
| `uid` | User identifier, the user's *name* |
| `userPassword` | LDAP password field, stripped of the `{CRYPT}` prefix to be turned into a UNIX password if relevant |
+[crypt(3)]: https://manpages.debian.org/crypt.3
[cdbmake(1)]: https://manpages.debian.org/cdbmake.1
#### sudoPassword field format
@@ -1178,6 +1181,7 @@ host. It can either enable or inhibit the creation of certain files.
`shadow` file. also marks a host as `UNTRUSTED` (below)
* `PRIVATE`: ship the `debian-private` mailing list registration file
* `RTC-PASSWORDS`: ship the `rtc-passwords` file
+ * `MAIL-PASSWORDS`: ship the `mail-passwords` file
* `TOTP`: ship the `users.oath` file
* `UNTRUSTED`: skip sudo passwords for this host unless explicitly
set
@@ -1903,6 +1907,15 @@ The **diff with upstream** also makes it hard to collaborate. We
should make it possible to use directly the upstream package with a
local configuration, without having to ship and maintain our own fork.
+Update: there has been progress on both of those fronts. Upstream
+ported to Python 3 (partially?), but scripts (e.g. `ud-generate`)
+still have the `python2` header. Preliminary tests seem to show that
+`ud-generate` might be capable of running under `python3` directly as
+well (ie. it doesn't error).
+
+The diff with upstream has been reduced, see [upstream section for
+details](#maintainer-users-and-upstream).
+
### Mid term: move hosts to Puppet, possibly replace ud-ldap with simpler dashboard
In the **mid-term**, we should remove the duplication of duty