[Dovecot] %{orig_user} missing in checkpassword-Script

Mon May 5 11:29:19 UTC 2014

OK, added: http://hg.dovecot.org/dovecot-2.2/rev/1e099feb1dea

On 3.5.2014, at 15.32, dovecot.pkoch at dfgh.net wrote:

> Dear dovecot maintainers:
> 
> I'm using SSL client certificates together with a checkpassword scripts
> to authenticate our users.
> 
> My problem is: In the checkpassword script the AUTH_USER environment
> variable will either contain the username that was configured in the
> mailclient (if auth_ssl_username_from_cert=false) or the username
> from the certificate (if auth_ssl_username_from_cert=true).
> 
> I would like to compare both values, i.e. the %{user} Dovecot-variable
> and the %{orig_user} Dovecot-variable. But the environment of a
> checkpassword-script has only one of them.
> 
> I tried myself and found the following:
> - the environment of a checkpassword script is setup by
> checkpassword_setup_env() in db-checkpassword.c
> - checkpassword_setup_env() calls env_put_auth_vars()
> - env_put_auth_vars() creates AUTH_xxx environment variables for all
> entries of the auth_request_get_var_expand_table()
> - the auth_request_get_var_expand_table_full() routine does not contain the
> original user, but the auth_request-struct does.
> 
> So I changed the dovecot sourcecode (version 2.2.12) as follows
> 
> In src/auth/auth-request.h line 152 I replaced
> #define AUTH_REQUEST_VAR_TAB_COUNT 27
> by
> #define AUTH_REQUEST_VAR_TAB_COUNT 30
> 
> In src/auth/auth-request.c around line 2027 I replaced the
> following lines at the end of auth_request_var_expand_static_tab
> 
>        { '\0', NULL, "session_pid" },
>        /* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
>        { '\0', NULL, NULL }
> };
> 
> by
> 
>        { '\0', NULL, "session_pid" },
>        { '\0', NULL, "orig_user" },
>        { '\0', NULL, "orig_username" },
>        { '\0', NULL, "orig_domain" },
>        /* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
>        { '\0', NULL, NULL }
> };
> 
> In src/auth/auth-request.c around line 2116 I replaced the
> following lines at the end of function
> auth_request_get_var_expand_table_full()
> 
>        tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
>                dec2str(auth_request->session_pid);
>        return ret_tab;
> 
> by
> 
>        tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
>                dec2str(auth_request->session_pid);
>        if (auth_request->original_username != NULL) {
>                tab[27].value =
> escape_func(auth_request->original_username, auth_request);
>                tab[28].value =
> escape_func(t_strcut(auth_request->original_username, '@'), auth_request);
>                tab[29].value = strchr(auth_request->original_username,
> '@');
>                if (tab[29].value != NULL) {
>                        tab[29].value = escape_func(tab[29].value+1,
> auth_request);
>                }
>        }
>        return ret_tab;
> 
> This will add AUTH_ORIG_USER, AUTH_ORIG_USERNAME and AUTH_ORIG_DOMAIN
> environment variables to the environment of every checkpassword script.
> 
> If this is the correct way to extend the environment of a
> chackpassword-script
> then you might consider adding these minor changes to the dovecot-source.
> 
> Kind regards and thanks very much for this wonderful project
> 
> Peter Koch