[Dovecot] %{orig_user} missing in checkpassword-Script
dovecot.pkoch at dfgh.net
dovecot.pkoch at dfgh.net
Sat May 3 12:32:46 UTC 2014
Dear dovecot maintainers:
I'm using SSL client certificates together with a checkpassword scripts
to authenticate our users.
My problem is: In the checkpassword script the AUTH_USER environment
variable will either contain the username that was configured in the
mailclient (if auth_ssl_username_from_cert=false) or the username
from the certificate (if auth_ssl_username_from_cert=true).
I would like to compare both values, i.e. the %{user} Dovecot-variable
and the %{orig_user} Dovecot-variable. But the environment of a
checkpassword-script has only one of them.
I tried myself and found the following:
- the environment of a checkpassword script is setup by
checkpassword_setup_env() in db-checkpassword.c
- checkpassword_setup_env() calls env_put_auth_vars()
- env_put_auth_vars() creates AUTH_xxx environment variables for all
entries of the auth_request_get_var_expand_table()
- the auth_request_get_var_expand_table_full() routine does not contain the
original user, but the auth_request-struct does.
So I changed the dovecot sourcecode (version 2.2.12) as follows
In src/auth/auth-request.h line 152 I replaced
#define AUTH_REQUEST_VAR_TAB_COUNT 27
by
#define AUTH_REQUEST_VAR_TAB_COUNT 30
In src/auth/auth-request.c around line 2027 I replaced the
following lines at the end of auth_request_var_expand_static_tab
{ '\0', NULL, "session_pid" },
/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
{ '\0', NULL, NULL }
};
by
{ '\0', NULL, "session_pid" },
{ '\0', NULL, "orig_user" },
{ '\0', NULL, "orig_username" },
{ '\0', NULL, "orig_domain" },
/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
{ '\0', NULL, NULL }
};
In src/auth/auth-request.c around line 2116 I replaced the
following lines at the end of function
auth_request_get_var_expand_table_full()
tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
dec2str(auth_request->session_pid);
return ret_tab;
by
tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
dec2str(auth_request->session_pid);
if (auth_request->original_username != NULL) {
tab[27].value =
escape_func(auth_request->original_username, auth_request);
tab[28].value =
escape_func(t_strcut(auth_request->original_username, '@'), auth_request);
tab[29].value = strchr(auth_request->original_username,
'@');
if (tab[29].value != NULL) {
tab[29].value = escape_func(tab[29].value+1,
auth_request);
}
}
return ret_tab;
This will add AUTH_ORIG_USER, AUTH_ORIG_USERNAME and AUTH_ORIG_DOMAIN
environment variables to the environment of every checkpassword script.
If this is the correct way to extend the environment of a
chackpassword-script
then you might consider adding these minor changes to the dovecot-source.
Kind regards and thanks very much for this wonderful project
Peter Koch
More information about the dovecot
mailing list