[Dovecot] Feature Request - Authentication Scheme - Linuxconf

Dominic Marks dom at goodforbusiness.co.uk
Sun Jul 17 02:47:58 EEST 2005


On Sunday 17 July 2005 00:28, Marc Perkel wrote:
> Dominic Marks wrote:
> >On Saturday 16 July 2005 23:59, Marc Perkel wrote:
> >>This would make my life a lot easier in migrating to Dovecot. And
> >> it should be really easy to implement. Here's how linuxconf does
> >> it:
> >>
> >>Password files are placed in the /etc/vmail directory as follows:
> >>
> >>/etc/vmail/passwd.domain1
> >>/etc/vmail/shadow.domain1
> >>/etc/vmail/passwd.domain2
> >>/etc/vmail/shadow.domain2
> >>
> >>The password and shadow files are exactly the same format as the
> >>/etc/password and /etc/shadow files. The user name within the files
> >>would be the %n part of the email address passed to authenticate
> >>with.
> >>
> >>Basically the password file names are /etc/vmail/passwd.%d with the
> >>user withing the file being %n.
> >>
> >>marc:x:40000:12:Marc Perkel:/vhome/perkel.com/home/marc:/bin/false
> >>test:x:40001:12::/vhome/perkel.com/home/test:/bin/false
> >>dd:x:40002:12:Atia:/vhome/perkel.com/home/dd:/bin/false
> >>test2:x:40003:12::/vhome/perkel.com/home/test2:/bin/false
> >>
> >>It also makes merging several servers with separate passwd/shadow
> >>files into one virtual system because all you have to do is copy
> >>their existing passwd/shadow files into the /etc/vmail directory
> >> and rename them with the domain at the end.
> >>
> >>So - wouldn't that be easy to add? Sure would make migrating easy
> >> for me.
> >
> >Not commenting on the idea, but:
> >
> >From the Dovecot Wiki:
> > http://wiki.dovecot.org/moin.cgi/Authentication
> >
> >"Dovecot 1.0-tests support defining multiple password databases, so
> > that if password doesn't match in the first database, it checks the
> > next one. This can be useful if you want to easily support having
> > both local system users in /etc/passwd but also virtual users..."
> >
> >Using this you could implement what you describe, with one small
> >exception that usernames would have to be renamed in your passwd
> >files to their appropriate user at domain form. I think that it is
> >good practice to name your users with the complete name in the
> > passwd file.
> >
> >Cheers,
>
> Yes - I'm trying to avoid migration to a new format because I have an
> interface that mamages the passwd/shadow method that I'm using now. I
> would have to run a conversion script one a minute if I changed it to
> something else. And I have about 200 of these virtual domain files.

I think the current method is more robust since it does not
depend on the file name. I don't know anything about the interface
you use, but could you not simply modify it to store the username
as user at domain? That would be the only change you need to make.

I'm not trying to argue against your idea, just suggesting
alternatives within the existing code base.

> It's actually a pretty good system and I believe it would be trivial
> to make Dovecot compatible with it. If I migrate I would have to
> merge these 200 files into one big file and that might be slow and

As the documentation says, you can define many of passwd files, no
need to merge them. As for being slow, maybe if you have tens of
thousands of users in your passwd files. Otherwise, I doubt very
much if you could measure the difference.

> ungle, unless I went to MySQL perhaps. I was experimenting with that
> and couldn't get it to work.

Unlikely to be worth the bother unless you have a very
large number of users.

Cheers,
-- 
Dominic Marks



More information about the dovecot mailing list