Re: Custom SASL authentication

[David Koski]

Hello R.,

Thank you for the reply.
On 4/17/23 14:49, Robert Lister wrote:

Interesting...

I'm not sure why you would need to set : "NULL AS password, 'Y' as 
nopassword", but then
I haven't seen the rest of your auth config. This would seem to allow 
any password but
succeed if it matches the rest of the query.

The query does not return the password, only the hash, thus "NULL AS 
password", as I understand it.  It is documented.  The 'Y' as no 
password is found earlier in this thread.


It seemed a bit awkward to me to embed static variables in the query 
which
are always going to be the same.

In the auth- config, or 10-mail.conf I just set:-

# Defaults:
mail_uid = vmail
mail_gid = vmail
mail_home = /var/lib/vmail/%d/%n

# (this is set elsewhere in 10-mail.conf.)
mail_location = maildir:~/Maildir

I think you are right.  My eye was on migrating global settings to SQL 
accounts but it probably will not happen.  Nevertheless, I suspect it 
adds little burden having static variables given it requires no database 
access, no?


userdb can still override these if needed, but it means that the query
is a lot simpler and if one of the queries doesn't return home/uid/gid
etc, it's always going to be set anyway.

Seems to me it is a matter of preference.


What does the "crypt" bit of "IF (crypt & 1, SHA2('%w',512)" do? crypt
it before running the select?

Why not just set:

default_pass_scheme =  ?

"crypt" bit 0 is a flag to encrypt passwords.  I have chosen a custom 
hash.  Can I replace it with "default_pass_scheme = ?"?

Regards,
David


R.


On 2023-04-17 18:57, dko...@sutinen.com wrote:
For the archive: This MySQL configuration seems to work well.

user_query = \
   SELECT \
        email AS user, \
        '/var/lib/vmail/%d/%n' AS home, \
        'maildir:/var/lib/vmail/%d/%n/Maildir' AS mail, \
        5000 AS uid, \
        5000 AS gid \
    FROM \
        view_users \
    WHERE \
        email='%u' \
    AND \
        enable = '1'

password_query = \
    SELECT \
        email AS user, \
        NULL AS password, \
        'Y' as nopassword \
    FROM \
        view_users \
    WHERE \
        email='%u' \
    AND \
        password=IF (crypt & 1, SHA2('%w',512), password) \
    AND \
        enable = '1'


_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org