[Dovecot] (vaguely) related to: "doveadm auth user" ...

Timo Sirainen tss at iki.fi
Tue Nov 30 02:28:32 EET 2010


On 27.11.2010, at 23.44, Clemens Schrimpe wrote:

> While digging through the code I remember having seen something like an (yet undocumented) "update_query" for SQL (and I guess something similar for the LDAP faction as well)?!

Yes, it's only for SQL though, and its primary purpose is for OTP and SKEY auth mechanisms to update the one-time-password.

> Can that be used to augment the "doveadm pw" function to actually /set/ the password for a given user instead of just "calculating" the hash, so that an operator can copy&waste it into the respective passdb?

I guess it could.. Of course would require that admin has set the update_query correctly. But a much more important problem would be how to do this securely. Many people have given pretty wide permissions for auth sockets, because they can't really be used for doing any harm. By adding this command it would be much worse. Perhaps yet another new socket would have to be created: auth-admin.

> Just curious ... I guess it would be nice to have "doveadm" become as central point of administration (yeah, yeah - we would still need a "create user" and "delete user", etc. -- but we would at least be further on our way, wouldn't we? :-)

I'm not really sure if those will ever be supported. Or perhaps as doveadm plugins / scripts for whatever tool people are using for user management. Then again, if those are done, the password changing could be done the same way.

I think it's too much trouble with too little benefit at least for now.


More information about the dovecot mailing list