[Dovecot] passdb to add extra fields?

Wed Jan 30 15:49:24 EET 2013

On 19.12.2012, at 0.24, Ben Morrow <ben at morrow.me.uk> wrote:

>> Also there are already "deny" and "pass" settings. Interaction with them
>> can be somewhat confusing.. Maybe all of these should be replaced with:
>> 
>> type=deny: Same as old deny=yes (deny auth if user is in list)
>> type=precondition(?): Same as pass=yes (require another passdb to match)
>> type=postcondition(?): Require user to exist in this passdb/userdb as
>> well, adding any extra fields in it.
>> type=add: Add any extra fields, if the user exists at all.
> 
> This sounds like the nsswitch.conf [notfound=continue] stuff, perhaps
> you could use those names? 
> 
>    Status
>    success     entry found
>    notfound    entry definitely not found
>    tryagain    database temporarily unavailable
>    unavail     database not responding (an error of some kind)

I wonder what's the difference between tryagain and unavail. Sounds like the same thing to me.

>    Action
>    return      return the current result
>    continue    try the next db and accumulate fields
> 
> with defaults of
> 
>    success = return
>    notfound = continue
>    tryagain = continue
>    unavail = continue
> 
> You could potentially add other actions, like 'retry' which waits a bit
> and retries. Some sort of 'tempfail' action, which returns temporary
> failure to the client, would be good, but I don't think IMAP supports
> that, unless you just drop the connection and assume the client will
> reconnect and retry.

Hmm. I guess this would work, with defaults:

passdb {
  skip = never
  success = return-ok
  notfound = continue
  unavail = continue
}

The possible values for skip:
 - never: always do this passdb lookup
 - authenticated: skip if user is already authenticated by a previous passdb
 - unauthenticated: skip if user isn't authenticated

The possible values for success/notfound/unavail:
 - return, return-ok, return-fail
 - continue, continue-ok, continue-fail

where return/continue preserves the success-status without changing it, while the -ok and -fail variants change the success-status. The default status is fail, only return-ok / continue-ok changes that.

So:

 - deny=yes would be success=return-fail.

 - pass=yes would be success=continue (or continue-fail, but usually that would be the same)

 - Two passdbs, second one adding extra fields:

a) require user to be in both: passdb { success = continue }, passdb { skip = unauthenticated }
b) don't require user in the second: passdb { success = continue-ok }, passdb { skip = unauthenticated }

 - 3 passdbs, with first two authenticating and last one adding extra fields:

passdb { success = continue }, passdb { success = continue skip = authenticated }, passdb { skip = unauthenticated }

I think you can do pretty much any wanted combination with these. Also. I think result_ prefix would be good, too lazy to update the rest of the mail now. So result_success, result_notfound and result_unavail.