Re: [Dovecot] Removing specific entry in user/auth cache
Francisco Wagner C. Freire <wgrcunha@gmail.com> writes:
On Wed, Jun 27, 2012 at 9:24 AM, Timo Sirainen <tss@iki.fi> wrote:
On 27.6.2012, at 14.10, Angel L. Mateo wrote:
We have dovecot configured with auth cache. Is there any way to
remove a specific entry (not all) from this cache?
Nope. What do you need it for?
I dont known about Angel, but for me is useful because sometimes i need to deactivate smtp/imap/pop access from accounts, or change their home after storage migration, and removing a specific record i can use a long time cache.
I'm not sure that the auth cache holds that information, but I think you can at least invalidate a particular auth cache entry by
1) Changing the user password (and save the previous hash)
2) Authenticate using the new credentials (and invalidate
the auth cache entry). For example, you can just
do a manual connection on your dovecot server
x login someuser newpassword
This will replace the cache entry with a new one.
3) When you are ready to put the account back online, change the
password back to the original. A password mismatch forces
a resync to your authentication system which will restore
the auth cache.
Joseph Tam <jtam.home@gmail.com>
On Wed, 2012-06-27 at 19:08 -0700, Joseph Tam wrote:
I dont known about Angel, but for me is useful because sometimes i need to deactivate smtp/imap/pop access from accounts, or change their home after storage migration, and removing a specific record i can use a long time cache.
I'm not sure that the auth cache holds that information,
userdb lookups are also cached.
but I think you can at least invalidate a particular auth cache entry by
Changing the user password (and save the previous hash)
Authenticate using the new credentials (and invalidate the auth cache entry). For example, you can just do a manual connection on your dovecot server
x login someuser newpassword
This will replace the cache entry with a new one.
When you are ready to put the account back online, change the password back to the original. A password mismatch forces a resync to your authentication system which will restore the auth cache.
This works for passdb cache, but not for userdb cache.
It would be possible to add a doveadm command for this.. I think the main reason why I already didn't do it last time I was asked this was because I wanted to use "doveadm auth cache flush" or something similar as the command, but there already exists "doveadm auth" command and "cache flush" would be treated as username=cache password=flush :(
Anyone have thoughts on a better doveadm command name? Or should I just break it and have v2.2 use "doveadm auth check" or something for the old "doveadm auth" command?
On 28.6.2012, at 9.43, Timo Sirainen wrote:
It would be possible to add a doveadm command for this.. I think the main reason why I already didn't do it last time I was asked this was because I wanted to use "doveadm auth cache flush" or something similar as the command, but there already exists "doveadm auth" command and "cache flush" would be treated as username=cache password=flush :(
Anyone have thoughts on a better doveadm command name? Or should I just break it and have v2.2 use "doveadm auth check" or something for the old "doveadm auth" command?
Perhaps for v2.2:
doveadm auth test <user> [<pass>] doveadm auth cache flush [<user>] doveadm auth cache stats
and for v2.1 a bit kludgy way:
doveadm auth <user> [<pass>] doveadm auth cache flush [<user>]
so you couldn't test authentication against "cache" user, but that's probably not a problem.
Timo Sirainen wrote:
On 28.6.2012, at 9.43, Timo Sirainen wrote: Perhaps for v2.2:
doveadm auth test <user> [<pass>] doveadm auth cache flush [<user>] doveadm auth cache stats
and for v2.1 a bit kludgy way:
doveadm auth <user> [<pass>] doveadm auth cache flush [<user>]
so you couldn't test authentication against "cache" user, but that's probably not a problem.
Hi there,
wouldn't it be better to use a syntax similar to other doveadm commands, with labels for all arguments?
doveadm auth test -u <user> -p [<pass>] doveadm auth cache flush -u [<user>] doveadm auth cache stats
This will allow you to syntactically distinguish "commands" from "arguments". Otherwise you might run into the same "kludgy" syntax problem again, as soon as the number of subcommands changes.
Regards Daniel
On 29.6.2012, at 5.18, Daniel Parthey wrote:
wouldn't it be better to use a syntax similar to other doveadm commands, with labels for all arguments?
doveadm auth test -u <user> -p [<pass>] doveadm auth cache flush -u [<user>] doveadm auth cache stats
This will allow you to syntactically distinguish "commands" from "arguments". Otherwise you might run into the same "kludgy" syntax problem again, as soon as the number of subcommands changes.
The problem was with the "auth" toplevel command not having subcommands. I don't think there are going to be any problems with subcommands. Also there are many commands already that take <user> without the -u parameter. Actually it's only the "mail commands" that take -u parameter at all.
Another potential problem is "doveadm user" command. I'm wondering if it might be a good idea to move it to "doveadm auth user" or "doveadm auth userdb" command. There should be also a similar "doveadm auth passdb" command that does a passdb lookup without authentication.
El 29/06/12 07:32, Timo Sirainen escribió:
On 29.6.2012, at 5.18, Daniel Parthey wrote:
wouldn't it be better to use a syntax similar to other doveadm commands, with labels for all arguments?
doveadm auth test -u <user> -p [<pass>] doveadm auth cache flush -u [<user>] doveadm auth cache stats
This will allow you to syntactically distinguish "commands" from "arguments". Otherwise you might run into the same "kludgy" syntax problem again, as soon as the number of subcommands changes.
The problem was with the "auth" toplevel command not having subcommands. I don't think there are going to be any problems with subcommands. Also there are many commands already that take <user> without the -u parameter. Actually it's only the "mail commands" that take -u parameter at all.
Another potential problem is "doveadm user" command. I'm wondering if it might be a good idea to move it to "doveadm auth user" or "doveadm auth userdb" command. There should be also a similar "doveadm auth passdb" command that does a passdb lookup without authentication.
Other command it could be usefull is to remove a temporal user-server
association in director. For example, I had a downtime in one server, so users normally directed to this server is now been directed to other. Now I want a user to get back to his normal server (force it, I know we willl get back after a timeout), but I don't want to flush all user connections to the backup server.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
On 29.6.2012, at 10.13, Angel L. Mateo wrote:
Other command it could be usefull is to remove a temporal user-server association in director. For example, I had a downtime in one server, so users normally directed to this server is now been directed to other. Now I want a user to get back to his normal server (force it, I know we willl get back after a timeout), but I don't want to flush all user connections to the backup server.
There's already doveadm director move command.
On Fri, 2012-06-29 at 05:01 +0300, Timo Sirainen wrote:
and for v2.1 a bit kludgy way:
doveadm auth <user> [<pass>] doveadm auth cache flush [<user>]
Done: http://hg.dovecot.org/dovecot-2.1/rev/007bf0047ab0 http://hg.dovecot.org/dovecot-2.1/rev/1093c74f54af
so you couldn't test authentication against "cache" user, but that's probably not a problem.
Actually you only can't test authentication against "cache" user with "flush" password. Even less likely to be a problem.
El 04/07/12 10:01, Timo Sirainen escribió:
On Fri, 2012-06-29 at 05:01 +0300, Timo Sirainen wrote:
and for v2.1 a bit kludgy way:
doveadm auth <user> [<pass>] doveadm auth cache flush [<user>]
Done: http://hg.dovecot.org/dovecot-2.1/rev/007bf0047ab0 http://hg.dovecot.org/dovecot-2.1/rev/1093c74f54af
Hello,
After some time I have updated my system to 2.1.9 which includes this
patch but I have doubts it is working.
I have changed an attribute for one of my users (his home directory) so
I run:
root@myotis33:~# doveadm auth cache flush <user> 2 cache entries flushed
but, then, when I run "doveadm user <user>" I've got the old
information, not the updated one.
I had to reload dovecot to get the information correctly reloaded.
participants (4)
-
Angel L. Mateo
-
Daniel Parthey
-
Joseph Tam
-
Timo Sirainen