Dear dovecot maintainers:
I'm using SSL client certificates together with a checkpassword scripts to authenticate our users.
My problem is: In the checkpassword script the AUTH_USER environment variable will either contain the username that was configured in the mailclient (if auth_ssl_username_from_cert=false) or the username from the certificate (if auth_ssl_username_from_cert=true).
I would like to compare both values, i.e. the %{user} Dovecot-variable and the %{orig_user} Dovecot-variable. But the environment of a checkpassword-script has only one of them.
I tried myself and found the following:
- the environment of a checkpassword script is setup by checkpassword_setup_env() in db-checkpassword.c
- checkpassword_setup_env() calls env_put_auth_vars()
- env_put_auth_vars() creates AUTH_xxx environment variables for all entries of the auth_request_get_var_expand_table()
- the auth_request_get_var_expand_table_full() routine does not contain the original user, but the auth_request-struct does.
So I changed the dovecot sourcecode (version 2.2.12) as follows
In src/auth/auth-request.h line 152 I replaced #define AUTH_REQUEST_VAR_TAB_COUNT 27 by #define AUTH_REQUEST_VAR_TAB_COUNT 30
In src/auth/auth-request.c around line 2027 I replaced the following lines at the end of auth_request_var_expand_static_tab
{ '\0', NULL, "session_pid" },
/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
{ '\0', NULL, NULL }};
by
{ '\0', NULL, "session_pid" },
{ '\0', NULL, "orig_user" },
{ '\0', NULL, "orig_username" },
{ '\0', NULL, "orig_domain" },
/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
{ '\0', NULL, NULL }};
In src/auth/auth-request.c around line 2116 I replaced the following lines at the end of function auth_request_get_var_expand_table_full()
tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
dec2str(auth_request->session_pid);
return ret_tab;by
tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
dec2str(auth_request->session_pid);
if (auth_request->original_username != NULL) {
tab[27].value =escape_func(auth_request->original_username, auth_request); tab[28].value = escape_func(t_strcut(auth_request->original_username, '@'), auth_request); tab[29].value = strchr(auth_request->original_username, '@'); if (tab[29].value != NULL) { tab[29].value = escape_func(tab[29].value+1, auth_request); } } return ret_tab;
This will add AUTH_ORIG_USER, AUTH_ORIG_USERNAME and AUTH_ORIG_DOMAIN environment variables to the environment of every checkpassword script.
If this is the correct way to extend the environment of a chackpassword-script then you might consider adding these minor changes to the dovecot-source.
Kind regards and thanks very much for this wonderful project
Peter Koch