I recommend having all of your users logging in to have their hashes upgraded as soon as possible, and it would be prudent to have them change their passwords as well.
This should have no impact on LDAP, the authentication codepaths ignore the dbic “realm” when authenticating with LDAP. I checked that the integrated LDAP test passes, since I was worried about that too.
From a quick look at the PR is looks like users will be upgraded on first successful login after the deployment. You may find yourself with old style passwords hanging around in your database for a long time for people who don’t log in regularly.
An approach I used in a similar situation a while back is to use argon2 with the currently stored sha1 hash and save that result. Validation of older passwords becomes (simplifying a little here)L constant_time_compare(stored_hash, argon2(sha1(plaintext))).
This gives the same level of protection as direct argon2 in the event of a data leak. It does add a little complexity in validating older passwords, but depending on the situation it may be worth it. You can then either store a flag so you know what type of comparison to make, or fall back to assuming it’s been sha1 encoded first in the event of a failure. Though I would favour the flag method. Still upgrade them to direct argon2 when a successful authentication happes for consistency.
You can apply this if and when you need it later on. Just something you may want to consider if you haven’t already.