[Dovecot] passdb to add extra fields?

Ben Morrow ben at morrow.me.uk
Wed Jan 30 16:44:11 EET 2013


At  3PM +0200 on 30/01/13 you (Timo Sirainen) wrote:
> On 19.12.2012, at 0.24, Ben Morrow <ben at morrow.me.uk> wrote:
> 
> > This sounds like the nsswitch.conf [notfound=continue] stuff, perhaps
> > you could use those names? 
> > 
> >    Status
> >    success     entry found
> >    notfound    entry definitely not found
> >    tryagain    database temporarily unavailable
> >    unavail     database not responding (an error of some kind)
> 
> I wonder what's the difference between tryagain and unavail. Sounds
> like the same thing to me.

I think it's intended to distinguish between temporary and permanent
failures (like 400 and 500 SMTP errors), so for instance 'LDAP server
not responding' would be tryagain, and 'LDAP server returned permission
denied' would be unavail. The difference would only be useful if Dovecot
was going to retry in some cases, or could return a 'temporary failure'
indication to the client.

> Hmm. I guess this would work, with defaults:
> 
> passdb {
>   skip = never
>   success = return-ok
>   notfound = continue
>   unavail = continue
> }
> 
> The possible values for skip:
>  - never: always do this passdb lookup
>  - authenticated: skip if user is already authenticated by a previous passdb
>  - unauthenticated: skip if user isn't authenticated
> 
> The possible values for success/notfound/unavail:
>  - return, return-ok, return-fail
>  - continue, continue-ok, continue-fail
> 
> where return/continue preserves the success-status without changing
> it, while the -ok and -fail variants change the success-status. The
> default status is fail, only return-ok / continue-ok changes that.
> 
> So:
> 
>  - deny=yes would be success=return-fail.
> 
>  - pass=yes would be success=continue (or continue-fail, but usually
>  that would be the same)
> 
>  - Two passdbs, second one adding extra fields:
> 
> a) require user to be in both: passdb { success = continue }, passdb {
> skip = unauthenticated }
> b) don't require user in the second: passdb { success = continue-ok },
> passdb { skip = unauthenticated }
> 
>  - 3 passdbs, with first two authenticating and last one adding extra fields:
> 
> passdb { success = continue }, passdb { success = continue skip =
> authenticated }, passdb { skip = unauthenticated }
> 
> I think you can do pretty much any wanted combination with these.
> Also. I think result_ prefix would be good, too lazy to update the
> rest of the mail now. So result_success, result_notfound and
> result_unavail.

Looks good to me.

Ben



More information about the dovecot mailing list