[Dovecot] Director and CRAM-MD5

2010-10-13 Thread Martin Spuetz 
Hello,

i have a setup with two director servers pointing to two backends. I
don't care that much for load balancing, my main goal is high availability.

CRAM-MD5 auth is working fine if I connect directly to the backends, but
the director only supports AUTH=PLAIN because of the static passdb.

director config:
> passdb {
>   driver = static
>   args = nopassword=y proxy=y
> }
> 
> director_servers = director1 director2
> director_mail_servers = backend1 backend2

backend config:
> passdb {
>   driver = vpopmail
>   args =
> }
> 
> userdb {
>   driver = vpopmail
> }

It seems that the director is only working, if I use the static passdb?!

How can I use the director with other passdb drivers than the static one?

Greetings,
Martin

Re: [Dovecot] Director and CRAM-MD5

2010-10-16 Thread Martin Spuetz 
Hello Timo,

thanks for your answer.

On 14.10.2010 17:40, Timo Sirainen wrote:
>> It seems that the director is only working, if I use the static
>> passdb?!
>>
>> How can I use the director with other passdb drivers than the static
>> one?
> 
> Oh, and if you want to make director do the authentication directly, you
> can't currently use passdb vpopmail, because you can't add the proxy=y
> setting to it. Are your users in SQL? You could use passdb sql directly
> then.

I got it working with passdb sql. I could put the information in the db
too, but it would add a new layer of complexity (master/slave
replication, failover, etc.)

I digged into the dovecot code and I'm asking you whether this would do
the job for vpopmail?

> --- passdb-vpopmail.c.o 2010-09-22 19:12:32.0 +0200
> +++ passdb-vpopmail.c   2010-10-16 10:04:50.0 +0200
> @@ -127,6 +127,8 @@
> if (scheme == NULL)
> scheme = request->passdb->passdb->default_pass_scheme;
> 
> +   auth_request_set_field(request, "proxy", "y", scheme);
> +
> ret = auth_request_password_verify(request, password,
>tmp_pass, scheme, "vpopmail");
> safe_memset(crypted_pass, 0, strlen(crypted_pass));

It compiles but I haven't tried it yet.

Thanks,
Martin

Re: [Dovecot] Director and CRAM-MD5

2010-10-17 Thread Martin Spuetz 
Hello Timo,

On 16.10.2010 12:45, Timo Sirainen wrote:
>> I digged into the dovecot code and I'm asking you whether this would do
>> the job for vpopmail?

[snip]

> Works, I guess, but I'd still rather put it after the password has been 
> verified correct (just before the last callback() call).

I copied the argument "parser" from passdb-static.c and created a patch.
It works with plain and cram-md5 auth.

Would it be possible to commit this to svn?

Thanks,
Martin
--- /usr/local/src/dovecot-2.0.4.orig/src/auth/passdb-vpopmail.c
2010-10-17 21:19:18.0 +0200
+++ src/auth/passdb-vpopmail.c  2010-10-17 21:40:08.0 +0200
@@ -10,6 +10,10 @@
 #include "safe-memset.h"
 #include "password-scheme.h"
 #include "auth-cache.h"
+#include "auth-common.h"
+#include "array.h"
+#include "str.h"
+#include "var-expand.h"
 
 #include "userdb-vpopmail.h"
 
@@ -26,6 +30,7 @@
struct passdb_module module;
 
struct ip_addr webmail_ip;
+   ARRAY_TYPE(const_string) tmpl;
 };
 
 static bool vpopmail_is_disabled(struct auth_request *request,
@@ -95,12 +100,35 @@
 {
enum passdb_result result;
char *password;
+   struct vpopmail_passdb_module *module =
+   (struct vpopmail_passdb_module *)request->passdb->passdb;
+   const struct var_expand_table *table;
+   const char *const *args;
+   unsigned int i, count;
+   string_t *str = t_str_new(128);
+   const char *scheme;
 
password = vpopmail_password_lookup(request, TRUE, &result);
if (password == NULL) {
callback(result, NULL, 0, request);
return;
}
+   
+   scheme = request->passdb->passdb->default_pass_scheme;
+   
+   args = array_get(&module->tmpl, &count);
+   for (i = 0; i < count; i += 2) {
+   const char *key = args[i];
+   const char *value = args[i+1];
+
+   if (value != NULL) {
+   str_truncate(str, 0);
+   var_expand(str, args[i+1], table);
+   value = str_c(str);
+   }
+
+   auth_request_set_field(request, key, value, scheme);
+   }
 
passdb_handle_credentials(PASSDB_RESULT_OK, password, "CLEARTEXT",
  callback, request);
@@ -115,6 +143,12 @@
const char *scheme, *tmp_pass;
char *crypted_pass;
int ret;
+   struct vpopmail_passdb_module *module =
+   (struct vpopmail_passdb_module *)request->passdb->passdb;
+   const struct var_expand_table *table;
+   const char *const *args;
+   unsigned int i, count;
+   string_t *str = t_str_new(128);
 
crypted_pass = vpopmail_password_lookup(request, FALSE, &result);
if (crypted_pass == NULL) {
@@ -136,6 +170,20 @@
return;
}
 
+   args = array_get(&module->tmpl, &count);
+   for (i = 0; i < count; i += 2) {
+   const char *key = args[i];
+   const char *value = args[i+1];
+
+   if (value != NULL) {
+   str_truncate(str, 0);
+   var_expand(str, args[i+1], table);
+   value = str_c(str);
+   }
+
+   auth_request_set_field(request, key, value, scheme);
+   }
+
 #ifdef HAVE_VPOPMAIL_OPEN_SMTP_RELAY
if (strcmp(request->service, "POP3") == 0 ||
strcmp(request->service, "IMAP") == 0) {
@@ -168,6 +216,8 @@
module = p_new(pool, struct vpopmail_passdb_module, 1);
module->module.default_pass_scheme = VPOPMAIL_DEFAULT_PASS_SCHEME;
 
+   p_array_init(&module->tmpl, pool, 16);
+
tmp = t_strsplit_spaces(args, " ");
for (; *tmp != NULL; tmp++) {
if (strncmp(*tmp, "cache_key=", 10) == 0) {
@@ -177,7 +227,18 @@
if (net_addr2ip(*tmp + 8, &module->webmail_ip) < 0)
i_fatal("vpopmail: Invalid webmail IP address");
} else {
-   i_fatal("passdb vpopmail: Unknown setting: %s", *tmp);
+   const char *key = *tmp;
+   const char *value = strchr(key, '=');
+
+   if (value == NULL)
+   value = "";
+   else
+   key = t_strdup_until(key, value++);
+
+   key = p_strdup(pool, key);
+   value = p_strdup(pool, value);
+   array_append(&module->tmpl, &key, 1);
+   array_append(&module->tmpl, &value, 1);
}
}
if (!vauth_load_initialized) {