[Dovecot] passdb to add extra fields?

Timo Sirainen tss at iki.fi
Wed Jan 30 22:46:16 EET 2013


Added basically this: http://hg.dovecot.org/dovecot-2.2/rev/d60aa734c72d

Hopefully I didn't break peoples' authentications too much. :)

On 30.1.2013, at 15.49, Timo Sirainen <tss at iki.fi> wrote:

> On 19.12.2012, at 0.24, Ben Morrow <ben at morrow.me.uk> wrote:
> 
>>> Also there are already "deny" and "pass" settings. Interaction with them
>>> can be somewhat confusing.. Maybe all of these should be replaced with:
>>> 
>>> type=deny: Same as old deny=yes (deny auth if user is in list)
>>> type=precondition(?): Same as pass=yes (require another passdb to match)
>>> type=postcondition(?): Require user to exist in this passdb/userdb as
>>> well, adding any extra fields in it.
>>> type=add: Add any extra fields, if the user exists at all.
>> 
>> This sounds like the nsswitch.conf [notfound=continue] stuff, perhaps
>> you could use those names? 
>> 
>>   Status
>>   success     entry found
>>   notfound    entry definitely not found
>>   tryagain    database temporarily unavailable
>>   unavail     database not responding (an error of some kind)
> 
> I wonder what's the difference between tryagain and unavail. Sounds like the same thing to me.
> 
>>   Action
>>   return      return the current result
>>   continue    try the next db and accumulate fields
>> 
>> with defaults of
>> 
>>   success = return
>>   notfound = continue
>>   tryagain = continue
>>   unavail = continue
>> 
>> You could potentially add other actions, like 'retry' which waits a bit
>> and retries. Some sort of 'tempfail' action, which returns temporary
>> failure to the client, would be good, but I don't think IMAP supports
>> that, unless you just drop the connection and assume the client will
>> reconnect and retry.
> 
> Hmm. I guess this would work, with defaults:
> 
> passdb {
>  skip = never
>  success = return-ok
>  notfound = continue
>  unavail = continue
> }
> 
> The possible values for skip:
> - never: always do this passdb lookup
> - authenticated: skip if user is already authenticated by a previous passdb
> - unauthenticated: skip if user isn't authenticated
> 
> The possible values for success/notfound/unavail:
> - return, return-ok, return-fail
> - continue, continue-ok, continue-fail
> 
> where return/continue preserves the success-status without changing it, while the -ok and -fail variants change the success-status. The default status is fail, only return-ok / continue-ok changes that.
> 
> So:
> 
> - deny=yes would be success=return-fail.
> 
> - pass=yes would be success=continue (or continue-fail, but usually that would be the same)
> 
> - Two passdbs, second one adding extra fields:
> 
> a) require user to be in both: passdb { success = continue }, passdb { skip = unauthenticated }
> b) don't require user in the second: passdb { success = continue-ok }, passdb { skip = unauthenticated }
> 
> - 3 passdbs, with first two authenticating and last one adding extra fields:
> 
> passdb { success = continue }, passdb { success = continue skip = authenticated }, passdb { skip = unauthenticated }
> 
> I think you can do pretty much any wanted combination with these. Also. I think result_ prefix would be good, too lazy to update the rest of the mail now. So result_success, result_notfound and result_unavail.
> 



More information about the dovecot mailing list