[Dovecot] Multiple auth checkers
I noticed this is in the TODO:
- support for multiple auth checkers. passdb+userdb should be tied together. auth process configurations really should be used for this..
and is functionality that I really would like, as I have local users (passwd+shadow) and vpopmail users. In -test7's dovecot-example.conf, there is a different format for "blocking" multiple auth types, and I created a conf as such:
auth default { mechanisms = plain userdb = passwd passdb = shadow user = root count = 2 }
auth vpopmail { mechanisms = plain userdb = vpopmail passdb = vpopmail user = vpopmail count = 2 }
Password authentication still works fine, but I can't find a way to get it to fallback to using the vpopmail auth. Is this simply not working yet? Timo - what part of the code needs this update?
Thanks.
-D
Change? We fear change.
On Wed, 2003-09-17 at 01:54, Dan Sully wrote:
auth default { mechanisms = plain userdb = passwd passdb = shadow user = root count = 2 }
auth vpopmail { mechanisms = plain userdb = vpopmail passdb = vpopmail user = vpopmail count = 2 }
Does vpopmail authentication work alone?
Password authentication still works fine, but I can't find a way to get it to fallback to using the vpopmail auth. Is this simply not working yet? Timo - what part of the code needs this update?
-test7 should support this already. Maybe I've fixed something in it since. I'll create -test8 now, see if it helps.
- Timo Sirainen <tss@iki.fi> shaped the electrons to say...
Does vpopmail authentication work alone?
Yes it does.
Password authentication still works fine, but I can't find a way to get it to fallback to using the vpopmail auth. Is this simply not working yet? Timo - what part of the code needs this update?
-test7 should support this already. Maybe I've fixed something in it since. I'll create -test8 now, see if it helps.
Ok, thanks.
Is that the correct configuration? It seems to me that there should be a list of valid auth checkers to try in a certain order.
-D
It appears my hypocrisy knows no bounds.
On Wed, 2003-09-17 at 03:04, Dan Sully wrote:
Password authentication still works fine, but I can't find a way to get it to fallback to using the vpopmail auth. Is this simply not working yet? Timo - what part of the code needs this update?
-test7 should support this already. Maybe I've fixed something in it since. I'll create -test8 now, see if it helps.
Ok, thanks.
Is that the correct configuration?
Yes. It should be enough to just add multiple auth blocks.
It seems to me that there should be a list of valid auth checkers to try in a certain order.
I was thinking about checking them in specified order, but I don't think it's really worth the trouble. It's not even really possible with eg. PAM since it only tells that the check failed, it doesn't know why. Besides I actually like that I can login to my test server using either of the two passwords. :)
- Timo Sirainen <tss@iki.fi> shaped the electrons to say...
Is that the correct configuration?
Yes. It should be enough to just add multiple auth blocks.
Where in the code does it "fallback" to the other blocks?
I can't seem to find it.
-D
<iNoah> you know, most free operating systems come preinstalled with their own high horse.
On Wed, 2003-09-17 at 03:29, Dan Sully wrote:
Yes. It should be enough to just add multiple auth blocks.
Where in the code does it "fallback" to the other blocks?
I can't seem to find it.
src/lib-auth/auth-server-request.c sends two requests at the same time. If the first one fails (AUTH_CLIENT_RESULT_FAILURE) it hides the failure and continues with the next one.
The reason it sends multiple requests at the same time is that PAM waits for two seconds before replying failure. The other check can be done while waiting for it. Actually all failed password checks should wait for one or two seconds before replying, I just haven't got around implementing it..
- Timo Sirainen <tss@iki.fi> shaped the electrons to say...
src/lib-auth/auth-server-request.c sends two requests at the same time. If the first one fails (AUTH_CLIENT_RESULT_FAILURE) it hides the failure and continues with the next one.
Thanks. Got it all working. -test8 did the trick for whatever reason.
-D
Minds are like parachutes... they work best when open.
participants (2)
-
Dan Sully
-
Timo Sirainen