[Dovecot] doveadm auth and the "nologin" extra field

Timo Sirainen tss at iki.fi
Mon May 5 13:25:44 UTC 2014


Not intentional, and since it can cause confusion I removed it: http://hg.dovecot.org/dovecot-2.2/rev/3a5304b63f88

On 18.4.2014, at 10.54, Axel Luttgens <axel.luttgens at skynet.be> wrote:

> Hello,
> 
> Still busy with details...
> 
> Considering, as in my previous example, a password_query returning '!' or NULL for the "nologin" column, depending on an account's status (suspended or not).
> 
> Let's consider a suspended user "some.user".
> 
> In the case of a successful authentication, one has:
> 
> 	sh-3.2# doveadm auth test some.user goodpassword; echo $?
> 	passdb: some.user auth succeeded
> 	extra fields:
> 	  user=some.user
> 	  nologin
> 	0
> 
> On the other hand, in the case of an authentication failure:
> 
> 	sh-3.2# doveadm auth test some.user badpassword; echo $?
> 	passdb: some.user auth failed
> 	extra fields:
> 	  user=some.user
> 	  nologin=!
> 	77
> 
> So, this is similar to what happens in a connection (pop3, imap...): when present, the nologin info is always taken into account, even in the case of an authentication failure.
> 
> Again, this may raise some concerns about the consistency of such a behavior.
> Is this guaranteed to always behave that way, because of some rationale I'm currently missing, or does it go about some overlooked combination, liable to be inadvertently "corrected" in the future?
> I haven't been able to find a definitive answer in the wiki or in the code about such matters.
> 
> This is particularly important in the case of doveadm, since its output requires parsing for extracting such informations (the exit code alone isn't sufficient); should above behavior be changed without notice, and a script could suddenly take the worst decisions...
> 
> BTW, why:
> 	  nologin
> in the first output, and:
> 	  nologin=!
> in the second output?
> 
> 
> TIA,
> Axel



More information about the dovecot mailing list