Patch #9 adds support for Open Directory and an encrypted SSL
keystore. Notes about this patch:
It adds --enable-apple and --with-od options to configure (after
running autoconf).
It depends on patch #7 (hash_table_create/destroy).
Automake wipes out this patch's changes to Makefile.in. The -
framework options should come from Makefile.am but the author didn't
do that.
It uses a tab-stops-every-4 indentation style.
It may compile and run only on Mac OS X 10.6, currently available via
Apple Developer Connection.
This code is stable but Apple is still verifying its robustness.
This is the patch that needs the user name as extra_fields[0] in
deliver, to handle user name aliases.
More patches to come, probably after the holidays.
Logging doesn't use the auth_request_log_*() calls like rest of
the Dovecot-auth. Now things like service name (imap, pop3, ..) or
remote IP address aren't logged.The debug logging probably could be enabled with auth_debug=yes
instead of a separate debug option. Although it seems like it's more
meant for developers with the __LINE__ and __FUNCTION__ strings and
things like refcounts which aren't useful for admins.The debug logging seems to be written mostly for developers. Are
they still even useful at that level (e.g. refcounts More admin- oriented debug logging (with auth_debug=yes) would also have been
helpful.The hardcoded maildir: and quota_rule stuff won't get in like
that. :) They'll have to be configurable somehow. Actually couldn't
the whole configuration have been just like with ldap db? (Or actually
the ldap config is a bit annoying, I was planning on making the user/ pass_attrs be configured a bit differently.)Passing in_od_info->mem_pool all around just seems to make the
code more confusing, since I doubt it's ever going to be anything else
than system_pool?CRAM-MD5 and APOP request/response handler stealing is pretty
evil, especially with the duplicated structs. I'm sure there's a
better way, although probably requires larger changes.There are a lot of imap/pop3 references. How would e.g.
managesieve work?I'd change several if + i_error() checks to just i_assert()s.
On Dec 30, 2008, at 3:39 PM, Timo Sirainen wrote:
- The debug logging seems to be written mostly for developers. Are
they still even useful at that level (e.g. refcounts More admin- oriented debug logging (with auth_debug=yes) would also have been
helpful.
I forgot to delete this.
- CRAM-MD5 and APOP request/response handler stealing is pretty
evil, especially with the duplicated structs. I'm sure there's a
better way, although probably requires larger changes.
Maybe a new passdb_module_interface.verify_challenge_response() method
which is used if lookup_credentials=NULL. I know passdb checkpassword
could also support a similar feature.
Also attached a simplified version of ssl-proxy-openssl.c changes that
conforms to Dovecot coding style and handles errors. But does it still
work? I don't seem to have certadmin.
I forwarded your comments to the original developer (of the code in
the patch). Waiting for a reply.
On Mon, 2009-01-05 at 14:57 -0600, Mike Abbott wrote:
I forwarded your comments to the original developer (of the code in
the patch). Waiting for a reply.
Do you have more patches? I'm wondering if I should just release v1.2.beta1 soon and declare no-more-large-changes freeze for it. The OD patch is pretty self-contained (except for the APOP/CRAM-MD5 parts, perhaps I'll do some API changes for those) and could be added later.
On Wed, 2008-12-31 at 01:31 +0200, Timo Sirainen wrote:
- CRAM-MD5 and APOP request/response handler stealing is pretty
evil, especially with the duplicated structs. I'm sure there's a
better way, although probably requires larger changes.Maybe a new passdb_module_interface.verify_challenge_response() method
which is used if lookup_credentials=NULL. I know passdb checkpassword
could also support a similar feature.
I did some cleanup changes to v1.2 auth code that makes this slightly easier. Then I started also the rest of it but it was getting more complex than I thought initially, so I ended up just saving the non-working patch: http://dovecot.org/patches/1.2/auth-verify-response.diff
I think I'll release v1.2 without your patches. I had hoped v1.2.0 would have been released already and I don't really want to cause any more delays to it.
On Fri, 2009-01-09 at 11:17 -0600, Mike Abbott wrote:
I think I'll release v1.2 without your patches.
Do you mean without patch 9 (the OD/SSL patch), or without any of our
patches? If the former, then OK, we understand. We're modifying our
OD support for dovecot anyway based on your detailed feedback.
The patches I've already committed will be there, but the multiple-connections-per-imap-process doesn't apply cleanly to v1.2 code and there are probably some things I want to do a bit differently there. Anyway so much work and potential new problems that I'd rather not delay v1.2.0 because of it. It already was delayed several months because of the shared mailbox support.
So I'm planning on feature freezing v1.2 tree now, release v1.2.beta1 this week and then open v1.3 development tree where I'll start adding new features. Hopefully people will start testing v1.2 and v1.2.0 won't horribly far away in future.
Sorry for sneaking in this thread, but it might be a reason for a
patch on the Apple side.
Up until 10.3.9 Server, and 10.4 Client, I used to be able to create
users with short name containing a dot. The latest OS doesn't allow
that easily (there seem to be some not so clean workarounds), but the
closest thing I can do is to create the primary short name with
another character in place of the dot (for instance an underscore) and
add an extra short name with the dot as I want it.
Now, if I use PAM for authentication dovecot will not permit using the
alternative dotted short name as it will seem to fail authentication.
I do not remember exactly what is the issue, but I can do a test if
you like. Other servers seem not to have an issue, just dovecot.
Perhaps it is just an issue when interacting with PAM.
Giuliano
Here is the reason of the login failure on Mac OS X (Server) when
using secondary short names:
the unix username is x_y, the additional short name (accepted for
authentication) is x.y:
Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS
IMPLEMENTATION: getpwnam() lookup returned different user than was
requested (x_y != x.y).
Jan 6 15:38:58 dns dovecot[281]: imap-login: Internal login failure
(auth failed, 1 attempts): user=
lip=127.0.0.1, secured
the secure.log report no errors:
Jan 6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded,
creating credential for user x.y
Jan 6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded,
creating shared credential for user x.y
Jan 6 15:38:58 dns com.apple.SecurityServer[35]: Succeeded
authorizing right system.login.tty by client /usr/local/libexec/
dovecot/dovecot-auth for authorization created by /usr/local/libexec/
dovecot/dovecot-auth.
Back in 2006 Timo wrote in response to the same problem: "Well, you
could simply remove the check from src/auth/userdb-passwd.c. Perhaps I
could make this also optional. I'd anyway not want to remove that
check completely because nss_ldap is still not fixed."
This is not vital, but perhaps it is time to allow control on this
behaviour that seems to potentially affect various platforms? Or
perhaps should getpwnam return the short user name that matches the
passwd field supplied (if it exists)?
Giuliano
On Tue, 2009-01-06 at 16:02 +0100, Giuliano Gavazzi wrote:
Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS
IMPLEMENTATION: getpwnam() lookup returned different user than was
requested (x_y != x.y). .. This is not vital, but perhaps it is time to allow control on this
behaviour that seems to potentially affect various platforms? Or
perhaps should getpwnam return the short user name that matches the
passwd field supplied (if it exists)?
On T 6 Jan, 2009, at 16:08 , Timo Sirainen wrote:
On Tue, 2009-01-06 at 16:02 +0100, Giuliano Gavazzi wrote:
Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS IMPLEMENTATION: getpwnam() lookup returned different user than was requested (x_y != x.y). .. This is not vital, but perhaps it is time to allow control on this behaviour that seems to potentially affect various platforms? Or perhaps should getpwnam return the short user name that matches the passwd field supplied (if it exists)?
that was quick! Thanks g
participants (3)
-
Giuliano Gavazzi
-
Mike Abbott
-
Timo Sirainen