[Dovecot] IP based virtual users: stripping login domain?

Fri Sep 14 20:33:56 EEST 2007

On Fri, 14 Sep 2007, Alan Ferrency wrote:

> I have a likely unusual request regarding IP based virtual
> dovecot users.
>
> When you specify a passdb passwd-file name containing "%d", then the
> domain portion is stripped from the login username, before the user is
> checked in the passwd-file. However, if you specify a passwd-file name
> containing "%l" (the local IP), the domain portion of the login is not
> stripped off before the username is checked in the passwd-file.
<snip>
> Does anyone have any recommendations? If what I want can't already be
> done, and I patched dovecot to do one of these things, how likely
> would it be to have that patch merged into the project?

Here is a small patch which causes "%0.l" in a passdb-file filename to
cause the username to have its domain stripped off. The patch was built
against dovecot 1.0.5, but looking at the 1.1-alpha code, it should be
directly applicable there as well.

--- db-passwd-file.c    16 Mar 2007 16:23:05 -0000      1.1.1.1
+++ db-passwd-file.c    14 Sep 2007 17:20:14 -0000
@@ -288,9 +288,12 @@
        for (p = path; *p != '\0'; p++) {
                if (*p == '%' && p[1] != '\0') {
                        p++;
-                       if (*p == 'd') {
-                               /* drop domains out only if %d is given
-                                  without modifiers */
+                       if (*p == 'd' ||
+                            (p[0] == '0' &&
+                             p[1] == '.' &&
+                             p[2] == 'l')) {
+                          /* drop domains out if %d is given
+                             without modifiers, or if %0.l is specified. */
                                db->domain_var = TRUE;
                        }

This works, but it feels exceedingly hackish and annoying. It begs for a
more general purpose solution.

I think both the %d and %l cases would be handled better with an
additional configuration option in the passwd-file configuration, which
allows you to configure auth_username_format on a per-passwd-file basis.

An example configuration would look like this:

passdb passwd-file {
    args = /path/%l.passwd
    username_format = %n
}

This configuration would cause db_passwd_file_lookup to look up "%n" in
the password file, instead of looking up %u.

The current use of %d and %0.d in passwd-file names could also be
handled this way:

passdb passwd-file {
    args = /path/%d.passwd
    username_format = %u # instead of using %0.d.passwd
}

passdb passwd-file {
    args = /path/%d.passwd
    username_format = %n # the old default probably shouldn't change
}


This configuration also allows other interesting uses which aren't
currently possible, by allowing the domain to be removed from the
username at lookup time, while still making it available for variable
substitution within the passdb-file itself.

# IP-based virtual users, all in one file
passdb passwd-file {
    args = /path/ip_based.passwd
    username_format = %n@%l
}

# and domain-based virtual users in a separate file
passdb passwd-file {
    args = /path/domain_based.passwd
    username_format = %u
}


Is this interesting enough to consider adding to dovecot?

Thanks,

Alan Ferrency
pair Networks, Inc.
alan at pair.com
