passdb {driver = shadow args = override_username=%variable}

Tue Jul 12 01:23:59 UTC 2016

On 09 Jul 2016, at 13:01, UNIX admin <tripivceta at gmail.com> wrote:
> 
> Hello list
> 
> I want to implement override_username = %variable for the "shadow"
> driver, so that the following works:
> 
> passdb {
>  driver = shadow
>  args = override_username=%Ln
> }
> 
> by "%variable", I mean "Variables" at http://wiki.dovecot.org/Variables.
> 
> I've hacked up a solution with strtok(3C), but that's a hack and a
> possible security hole, and I'd rather not implement it.
> What I really want is to be able to leverage Dovecot's var_expand()
> call, which, looking at the code, appears to be the function
> responsible for %variable expansion and formatting.
> 
> The relevant piece of code seems to be this excerpt in auth/passdb-shadow.c:
> 
> static enum passdb_result
> shadow_lookup(struct auth_request *request, struct spwd **spw_r)
> {
>        auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup");
> 
>        *spw_r = getspnam(request->user);
>        if (*spw_r == NULL) {
>                auth_request_log_unknown_user(request, AUTH_SUBSYS_DB);
>                return PASSDB_RESULT_USER_UNKNOWN;
>        }
> 
> when request->user contains 'user at domain.tld', I want the code to be
> able to process "override_username", determine that the format is %Ln
> so that request->user is lowercased, and everything after the "@" sign
> is stripped. Therefore, if this user happens to exist in the shadow
> file, authentication will succeed.
> 
> Currently, the "shadow" driver only appears to support "args = blocking=no".

You need this to be specific to the one passdb, not everything? So auth_username_format=%Ln setting wouldn't work?

passwd-file driver has username_format parameter, which does this. I've thought that rather than copy&pasting such code to other drivers, the next step would be to make it work for all the passdb and userdb drivers, such as:

passdb {
  driver = anything
  args = anything
  username_format = %Ln
}

I'd be happy for such a generic patch. I'm not entirely sure what's the best/nicest way to do it though. Maybe temporarily override auth_request->user? Could be ugly, but maybe doable..