Hello,
i have a setup with two director servers pointing to two backends. I don't care that much for load balancing, my main goal is high availability.
CRAM-MD5 auth is working fine if I connect directly to the backends, but the director only supports AUTH=PLAIN because of the static passdb.
director config:
passdb { driver = static args = nopassword=y proxy=y }
director_servers = director1 director2 director_mail_servers = backend1 backend2
backend config:
passdb { driver = vpopmail args = }
userdb { driver = vpopmail }
It seems that the director is only working, if I use the static passdb?!
How can I use the director with other passdb drivers than the static one?
Greetings, Martin
On Wed, 2010-10-13 at 10:53 +0200, Martin Spuetz wrote:
i have a setup with two director servers pointing to two backends. I don't care that much for load balancing, my main goal is high availability.
CRAM-MD5 auth is working fine if I connect directly to the backends, but the director only supports AUTH=PLAIN because of the static passdb.
Yeah. The problem is that with CRAM-MD5 the username can't be known until the authentication is started. But the authentication can't be started until the backend server is known, which of course can't be known until username is known..
So the only way to make CRAM-MD5 work with proxying is to have client authenticate with CRAM-MD5 against the proxy. The proxy then does a separate authentication against the backend server (e.g. using a master proxy password that allows authenticating against anyone).
Or if you only care about HA, maybe you shouldn't use director at all and just have active/passive pair of servers.
On Wed, 2010-10-13 at 10:53 +0200, Martin Spuetz wrote:
backend config:
passdb { driver = vpopmail args = }
userdb { driver = vpopmail }
It seems that the director is only working, if I use the static passdb?!
How can I use the director with other passdb drivers than the static one?
Oh, and if you want to make director do the authentication directly, you can't currently use passdb vpopmail, because you can't add the proxy=y setting to it. Are your users in SQL? You could use passdb sql directly then.
Hello Timo, thanks for your answer. On 14.10.2010 17:40, Timo Sirainen wrote:
It seems that the director is only working, if I use the static passdb?!
How can I use the director with other passdb drivers than the static one?
Oh, and if you want to make director do the authentication directly, you can't currently use passdb vpopmail, because you can't add the proxy=y setting to it. Are your users in SQL? You could use passdb sql directly then.
I got it working with passdb sql. I could put the information in the db too, but it would add a new layer of complexity (master/slave replication, failover, etc.) I digged into the dovecot code and I'm asking you whether this would do the job for vpopmail?
--- passdb-vpopmail.c.o 2010-09-22 19:12:32.000000000 +0200 +++ passdb-vpopmail.c 2010-10-16 10:04:50.000000000 +0200 @@ -127,6 +127,8 @@ if (scheme == NULL) scheme = request->passdb->passdb->default_pass_scheme;
+ auth_request_set_field(request, "proxy", "y", scheme); + ret = auth_request_password_verify(request, password, tmp_pass, scheme, "vpopmail"); safe_memset(crypted_pass, 0, strlen(crypted_pass));
It compiles but I haven't tried it yet. Thanks, Martin
On 16.10.2010, at 9.11, Martin Spuetz wrote:
Oh, and if you want to make director do the authentication directly, you can't currently use passdb vpopmail, because you can't add the proxy=y setting to it. Are your users in SQL? You could use passdb sql directly then.
I got it working with passdb sql. I could put the information in the db too, but it would add a new layer of complexity (master/slave replication, failover, etc.)
I was thinking that maybe you were already saving the users in SQL and just accessing that via vpopmail.
I digged into the dovecot code and I'm asking you whether this would do the job for vpopmail?
--- passdb-vpopmail.c.o 2010-09-22 19:12:32.000000000 +0200 +++ passdb-vpopmail.c 2010-10-16 10:04:50.000000000 +0200 @@ -127,6 +127,8 @@ if (scheme == NULL) scheme = request->passdb->passdb->default_pass_scheme;
+ auth_request_set_field(request, "proxy", "y", scheme); + ret = auth_request_password_verify(request, password, tmp_pass, scheme, "vpopmail"); safe_memset(crypted_pass, 0, strlen(crypted_pass));
It compiles but I haven't tried it yet.
Works, I guess, but I'd still rather put it after the password has been verified correct (just before the last callback() call).
Hello Timo,
On 16.10.2010 12:45, Timo Sirainen wrote:
I digged into the dovecot code and I'm asking you whether this would do the job for vpopmail?
[snip]
Works, I guess, but I'd still rather put it after the password has been verified correct (just before the last callback() call).
I copied the argument "parser" from passdb-static.c and created a patch. It works with plain and cram-md5 auth.
Would it be possible to commit this to svn?
Thanks, Martin
On Sun, 2010-10-17 at 21:49 +0200, Martin Spuetz wrote:
I copied the argument "parser" from passdb-static.c and created a patch. It works with plain and cram-md5 auth.
Would it be possible to commit this to svn?
I think that code has had enough copy&pasting already. It should be moved to some common functions that could then be used by all of the passdbs/userdbs that can benefit from it. I could try doing that some day soon..
participants (2)
-
Martin Spuetz
-
Timo Sirainen