[Dovecot] auth_cache multiple passwords ?
Hi, First, thanks Timo and Stefan for this great IMAP/Sieve implementation...
We are using 1.1.16+cmu_sieve/managesieve additions for now (following releases since ~ 1.0.1).
We have a specific problem here with auth-cache: We use direct imap/sieve connection from different clients, using LDAP password: everything is fine.
The problem appears with our webmail access using a web-SSO system (jasig's CAS), using one-time-tickets as password for imap connections (checked by pam_cas module for now).
For a single webmail connection par login, it work, thanks to cache_key using client's IP.
But for multiple use of the same login in the webmail, there are more than one 'password' valid at a time…
What may be the 'correct' solution:
- patching auth-cache.c (auth_cache_lookup function ?)
- writing a different login backend ?
- ???
Hope I'm clear enough…
geoffroy desvernay Ecole Centrale de Marseille
On Jun 12, 2009, at 9:45 AM, Geoffroy Desvernay wrote:
For a single webmail connection par login, it work, thanks to
cache_key using client's IP.But for multiple use of the same login in the webmail, there are more than one 'password' valid at a time…
What may be the 'correct' solution:
The only usable solution I see is to disable negative auth caching and
use this patch from v1.2: http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a
Timo Sirainen a écrit :
On Jun 12, 2009, at 9:45 AM, Geoffroy Desvernay wrote:
For a single webmail connection par login, it work, thanks to cache_key using client's IP.
But for multiple use of the same login in the webmail, there are more than one 'password' valid at a time…
What may be the 'correct' solution:
The only usable solution I see is to disable negative auth caching and use this patch from v1.2: http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a
I'll try to patch 1.1.16 with this patch and report here, thanks !
Timo Sirainen a écrit :
On Jun 12, 2009, at 9:45 AM, Geoffroy Desvernay wrote:
For a single webmail connection per login, it work, thanks to cache_key using client's IP.
But for multiple use of the same login in the webmail, there are more than one 'password' valid at a time…
What may be the 'correct' solution:
The only usable solution I see is to disable negative auth caching and use this patch from v1.2: http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a
Thank you !
I compiled 1.1.16 with this patch (applied manually).
If I understand what it does (I'm not sure at all), It just allow disabling negative caching of wrong passwords, but it doesn't allow to cache multiple passwords for one 'cache_key', am I right ?
In my test-case, this patch allows the webmail to work, getting a new ticket for each IMAP connection (1 login failure then login success with a new ticket) in case of concurrent connections with a same login. (the last who clicks kicks out others from the cache)
I think dovecot understands this as a 'password change', and this behaviour seems correct for all but this case :(
How difficult would it be to keep cached more than one password by key ?
-- *Geoffroy Desvernay* C.R.I - Administration systèmes et réseaux Ecole Centrale de Marseille Tel: (+33|0)4 91 05 45 24 Fax: (+33|0)4 91 05 45 98 dgeo@centrale-marseille.fr
On Tue, 2009-06-16 at 14:06 +0200, Geoffroy Desvernay wrote:
The only usable solution I see is to disable negative auth caching and use this patch from v1.2: http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a
Thank you !
I compiled 1.1.16 with this patch (applied manually).
If I understand what it does (I'm not sure at all), It just allow disabling negative caching of wrong passwords, but it doesn't allow to cache multiple passwords for one 'cache_key', am I right ?
Right.
In my test-case, this patch allows the webmail to work, getting a new ticket for each IMAP connection (1 login failure then login success with a new ticket) in case of concurrent connections with a same login. (the last who clicks kicks out others from the cache)
I think dovecot understands this as a 'password change', and this behaviour seems correct for all but this case :(
You did set auth_cache_negative_ttl=0, right? It should have worked then, because whenever authentication from cache fails Dovecot ignores whatever is in the cache and does another passdb lookup.
How difficult would it be to keep cached more than one password by key ?
Way too difficult. But it's not necessary to get your system working.
participants (2)
-
Geoffroy Desvernay
-
Timo Sirainen