[Dovecot] doveadm auth and the "nologin" extra field
Hello,
Still busy with details...
Considering, as in my previous example, a password_query returning '!' or NULL for the "nologin" column, depending on an account's status (suspended or not).
Let's consider a suspended user "some.user".
In the case of a successful authentication, one has:
sh-3.2# doveadm auth test some.user goodpassword; echo $?
passdb: some.user auth succeeded
extra fields:
user=some.user
nologin
0On the other hand, in the case of an authentication failure:
sh-3.2# doveadm auth test some.user badpassword; echo $?
passdb: some.user auth failed
extra fields:
user=some.user
nologin=!
77So, this is similar to what happens in a connection (pop3, imap...): when present, the nologin info is always taken into account, even in the case of an authentication failure.
Again, this may raise some concerns about the consistency of such a behavior. Is this guaranteed to always behave that way, because of some rationale I'm currently missing, or does it go about some overlooked combination, liable to be inadvertently "corrected" in the future? I haven't been able to find a definitive answer in the wiki or in the code about such matters.
This is particularly important in the case of doveadm, since its output requires parsing for extracting such informations (the exit code alone isn't sufficient); should above behavior be changed without notice, and a script could suddenly take the worst decisions...
BTW, why: nologin in the first output, and: nologin=! in the second output?
TIA, Axel
Not intentional, and since it can cause confusion I removed it: http://hg.dovecot.org/dovecot-2.2/rev/3a5304b63f88
On 18.4.2014, at 10.54, Axel Luttgens <axel.luttgens@skynet.be> wrote:
Hello,
Still busy with details...
Considering, as in my previous example, a password_query returning '!' or NULL for the "nologin" column, depending on an account's status (suspended or not).
Let's consider a suspended user "some.user".
In the case of a successful authentication, one has:
sh-3.2# doveadm auth test some.user goodpassword; echo $? passdb: some.user auth succeeded extra fields: user=some.user nologin 0
On the other hand, in the case of an authentication failure:
sh-3.2# doveadm auth test some.user badpassword; echo $? passdb: some.user auth failed extra fields: user=some.user nologin=! 77
So, this is similar to what happens in a connection (pop3, imap...): when present, the nologin info is always taken into account, even in the case of an authentication failure.
Again, this may raise some concerns about the consistency of such a behavior. Is this guaranteed to always behave that way, because of some rationale I'm currently missing, or does it go about some overlooked combination, liable to be inadvertently "corrected" in the future? I haven't been able to find a definitive answer in the wiki or in the code about such matters.
This is particularly important in the case of doveadm, since its output requires parsing for extracting such informations (the exit code alone isn't sufficient); should above behavior be changed without notice, and a script could suddenly take the worst decisions...
BTW, why: nologin in the first output, and: nologin=! in the second output?
TIA, Axel
Le 5 mai 2014 à 15:25, Timo Sirainen a écrit :
Not intentional, and since it can cause confusion I removed it: http://hg.dovecot.org/dovecot-2.2/rev/3a5304b63f88
Hmmm... this was a too easy one. ;-)
Once again, many thanks Timo, Axel
participants (2)
-
Axel Luttgens
-
Timo Sirainen