Jakob Hirsch wrote:
Timo Sirainen wrote:
But if I compile dovecot with --with-mysql, would it not be possible for dovecot to learn the mysql-password() scheme?
I guess it shouldn't be difficult, if one of the password functions in mysql_com.h is the same as the password() function in SQL.
Don't know that, but it's probably a bad idea to do that. The mysql doc itself says: "Note: The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead." And there are two different ways mysql stores its passwords: An old one (pre-4.1, 16 bytes) and a new new one (41 bytes, with a leading '*').
I agree, using PASSWORD() as a means to encode passwords in general applications is a VERY bad idea, but what's done is done :(
I think it would be more flexible (and maybe even easier to implement) to be able to use the password in a query, like:
SELECT userid as user, password FROM users WHERE userid = '%u' AND password = '%p'
This way, people can even use
SELECT userid as user, %p AS password FROM users WHERE userid = '%u' AND password = PASSWORD('%p')
(I hope the substitutions are properly escaped, btw)
This works only when we get the plaintext password from the client, obviously. But this is also true for CRYPT etc.
Maybe it would be even better/cleaner to be able to use something like
SELECT userid AS user, 1 AS password_ok FROM users WHERE userid = '%u' AND password = PASSWORD('%p')
So if password_ok is 1 we assume just what it says without further checking. This is more like a "return the check result" than "return the password" query then.
All of the above would solve my problem just fine, and keep the authentication in native MySQL
-- Tom Sommer