[Dovecot] Master User Features I'd like to see
Here's what I'd like. Limited master users, where someone can be a master users for some domains but not others. I think I could do what I want with the right kinds of variable passing that doesn't yet exist. Let me see if I can explain clearly.
From the example in the wiki:
auth_master_user_separator = * passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }
Login looks like this: # telnet localhost 143
- OK Dovecot ready. 1 login loginuser*masteruser masterpass 1 OK Logged in.
I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
On 8/15/2010 5:46 PM, Marc Perkel wrote:
Here's what I'd like. Limited master users, where someone can be a master users for some domains but not others. I think I could do what I want with the right kinds of variable passing that doesn't yet exist. Let me see if I can explain clearly.
From the example in the wiki:
auth_master_user_separator = * passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }
Login looks like this: # telnet localhost 143
- OK Dovecot ready. 1 login loginuser*masteruser masterpass 1 OK Logged in.
I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
YES, lets make an administrative tool for dovecot supporting multiple domains administrated by various user. Oh, wait! There's vpopmail :-S
Jerrale G. SC Senior Admin
On 15.8.2010, at 22.46, Marc Perkel wrote:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } .. I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user.
Yes.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
On 15.8.2010, at 22.46, Marc Perkel wrote:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } .. I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user. Yes.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
Yeah - let us know where. I'm having a hard time finding the normal variables documented. I'll see if I can use this and get something working.
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
On 15.8.2010, at 22.46, Marc Perkel wrote:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } .. I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user. Yes.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
Hi Timo,
I don't think it's working. I tried this query:
password_query = SELECT user_name, domain_name, password FROM users WHERE user_name = '%n' AND domain_name = '%d' AND owns_domain='1' AND '%d'='%{login_domain}'
It didn't work. However this did:
password_query = SELECT user_name, domain_name, password FROM users WHERE user_name = '%n' AND domain_name = '%d' AND owns_domain='1'
But that doesn't test the '%d'='%{login_domain}' part.
Am I missing something.
I should have been testing 2.0 earlier.
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
On 15.8.2010, at 22.46, Marc Perkel wrote:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } .. I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user. Yes.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
Further testing shows %{login_domain} returns an empty string.
On Aug 15, 2010, at 4:56 PM, Marc Perkel wrote:
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
On 15.8.2010, at 22.46, Marc Perkel wrote:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } .. I'm assuming that the masteruser and masterpass is passed to the
master passdb and when doing so the variable %u is the master
user. I assume that %n and %d also represent the name and domain
part of the master user. Yes.What I need is to also be able to have variables for the loginuser
passed to the master user query. Something like %lu, %ln, and %ld
perhaps. That way with MySQL tricks I might be able to see if the
master user is master for that particular login user. That way I
can give domain owners or owners of multiple domains the ability
to manage the email accounts within their scope of permission.These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
Further testing shows %{login_domain} returns an empty string.
What was your test? Mysql query log?
Did you add them as '%{login_user}' or '%login_user'?
ChangeLog has:
* src/auth/auth-request.c:
auth: Added %{login_user}, %{login_username} and %{login_domain}
variables that are set for master logins.
[5ae4a5c14f5b]// Brad
On 8/15/2010 5:07 PM, Bradley Giesbrecht wrote:
On Aug 15, 2010, at 4:56 PM, Marc Perkel wrote:
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
On 15.8.2010, at 22.46, Marc Perkel wrote:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } .. I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user. Yes.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
Further testing shows %{login_domain} returns an empty string.
What was your test? Mysql query log?
Did you add them as '%{login_user}' or '%login_user'?
ChangeLog has:
- src/auth/auth-request.c: auth: Added %{login_user}, %{login_username} and %{login_domain} variables that are set for master logins. [5ae4a5c14f5b]
// Brad
The query is:
password_query = SELECT user_name, domain_name, password FROM users WHERE user_name = '%n' AND domain_name = '%d' AND owns_domain='1' AND '%d'='%{login_domain}'
On Mon, 2010-08-16 at 10:49 -0700, Marc Perkel wrote:
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki..
Hi Timo,
I just tried the 2.0 official release and these variables return an empty string.
Works with me:
passdb { driver = sql master = yes args = /usr/local/etc/dovecot/dovecot-sql-master.conf pass = yes }
password_query =
SELECT "user", password FROM masters
WHERE "user" = '%u' and '%d' = '%{login_domain}'
auth: Debug: sql(master@dovecot.org,::1,master): query: SELECT "user", password FROM masters WHERE "user" = 'master@dovecot.org' and 'dovecot.org' = 'dovecot.org' auth: Debug: sql(master@dovecot.org,::1,master): query: SELECT "user", password FROM masters WHERE "user" = 'master@dovecot.org' and 'dovecot.org' = 'foobar.org'
On 8/16/2010 11:04 AM, Timo Sirainen wrote:
On Mon, 2010-08-16 at 10:49 -0700, Marc Perkel wrote:
On 8/15/2010 3:06 PM, Timo Sirainen wrote:
These are available in v2.0:
%{login_user} %{login_username} %{login_domain}
I guess they should be added to wiki.. Hi Timo,
I just tried the 2.0 official release and these variables return an empty string. Works with me:
passdb { driver = sql master = yes args = /usr/local/etc/dovecot/dovecot-sql-master.conf pass = yes }
password_query =
SELECT "user", password FROM masters
WHERE "user" = '%u' and '%d' = '%{login_domain}'auth: Debug: sql(master@dovecot.org,::1,master): query: SELECT "user", password FROM masters WHERE "user" = 'master@dovecot.org' and 'dovecot.org' = 'dovecot.org' auth: Debug: sql(master@dovecot.org,::1,master): query: SELECT "user", password FROM masters WHERE "user" = 'master@dovecot.org' and 'dovecot.org' = 'foobar.org'
Odd - wonder what I'm doing wrong then? My result:
Aug 16 10:44:43 auth: Debug: sql(support@junkemailfilter.com,127.0.0.1): query: SELECT user_name, domain_name, password FROM users WHERE user_name = 'support' AND domain_name = 'junkemailfilter.com' AND owns_domain='1' AND 'junkemailfilter.com'=''
My query:
password_query = SELECT user_name, domain_name, password FROM users WHERE user_name = '%n' AND domain_name = '%d' AND owns_domain='1' AND '%d'='%{login_domain}'
On Mon, 2010-08-16 at 11:17 -0700, Marc Perkel wrote:
Odd - wonder what I'm doing wrong then? My result:
Aug 16 10:44:43 auth: Debug: sql(support@junkemailfilter.com,127.0.0.1): query: SELECT user_name, domain_name, password FROM users WHERE user_name = 'support' AND domain_name = 'junkemailfilter.com' AND owns_domain='1' AND 'junkemailfilter.com'=''
This is from passdb { master = yes } passdb? How are you logging in? I used auth_master_user_separator=* and:
a login tss@dovecot.org*master@dovecot.org pass b login tss@foobar.org*master@dovecot.org pass
On 8/16/2010 11:26 AM, Timo Sirainen wrote:
On Mon, 2010-08-16 at 11:17 -0700, Marc Perkel wrote:
Odd - wonder what I'm doing wrong then? My result:
Aug 16 10:44:43 auth: Debug: sql(support@junkemailfilter.com,127.0.0.1): query: SELECT user_name, domain_name, password FROM users WHERE user_name = 'support' AND domain_name = 'junkemailfilter.com' AND owns_domain='1' AND 'junkemailfilter.com'='' This is from passdb { master = yes } passdb? How are you logging in? I used auth_master_user_separator=* and:
a login tss@dovecot.org*master@dovecot.org pass b login tss@foobar.org*master@dovecot.org pass
auth_master_user_separator = * passdb { driver = sql args = /etc/dovecot/dovecot-domain-owner-sql.conf master = yes pass = yes }
I'm logging in leslie@junkemailfilter.com*support@junkemailfilter.com
But the %{login_domain} evaluates to an empty string as you can see from the results of the debug.
Aug 16 10:44:43 auth: Debug: sql(support@junkemailfilter.com,127.0.0.1): query: SELECT user_name, domain_name, password FROM users WHERE user_name = 'support' AND domain_name = 'junkemailfilter.com' AND owns_domain='1' AND*'junkemailfilter.com'=''*
On 8/16/2010 2:24 PM, Timo Sirainen wrote:
On 16.8.2010, at 22.01, Marc Perkel wrote:
But the %{login_domain} evaluates to an empty string as you can see from the results of the debug. What about %{login_user} or %{username}?
Interestingly %{login_user} doesn't work either returning an empty string. However %{username} works.
On 8/16/2010 2:24 PM, Timo Sirainen wrote:
On 16.8.2010, at 22.01, Marc Perkel wrote:
But the %{login_domain} evaluates to an empty string as you can see from the results of the debug. What about %{login_user} or %{username}?
Actually - spoke too soon. %{username} returned the wrong value. It returned that name part of the master user.
On 8/16/2010 2:24 PM, Timo Sirainen wrote:
On 16.8.2010, at 22.01, Marc Perkel wrote:
But the %{login_domain} evaluates to an empty string as you can see from the results of the debug. What about %{login_user} or %{username}?
Hi Timo,
Apparently I'm getting different results that you are. I'm trying to think of anything unusual I might be doing. I do have more than one master user db. Perhaps that is the problem? Is there some tests I can run to debug this?
passdb { driver = sql args = /etc/dovecot/dovecot-master-sql.conf master = yes pass = yes }
passdb { driver = sql args = /etc/dovecot/dovecot-domain-owner-sql.conf master = yes pass = yes }
You can use checkpassword: http://wiki.dovecot.org/AuthDatabase/CheckPassword
Works fine for me for master user authentication.
Emerson Pinter
On 15-08-2010 18:46, Marc Perkel wrote:
Here's what I'd like. Limited master users, where someone can be a master users for some domains but not others. I think I could do what I want with the right kinds of variable passing that doesn't yet exist. Let me see if I can explain clearly.
From the example in the wiki:
auth_master_user_separator = * passdb { driver = sql args = /etc/dovecot/dovecot-sql-master.conf.ext master = yes pass = yes } passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }
Login looks like this: # telnet localhost 143
- OK Dovecot ready. 1 login loginuser*masteruser masterpass 1 OK Logged in.
I'm assuming that the masteruser and masterpass is passed to the master passdb and when doing so the variable %u is the master user. I assume that %n and %d also represent the name and domain part of the master user.
What I need is to also be able to have variables for the loginuser passed to the master user query. Something like %lu, %ln, and %ld perhaps. That way with MySQL tricks I might be able to see if the master user is master for that particular login user. That way I can give domain owners or owners of multiple domains the ability to manage the email accounts within their scope of permission.
participants (5)
-
Bradley Giesbrecht
-
Emerson Pinter
-
Jerrale G
-
Marc Perkel
-
Timo Sirainen