Re: Possible to adjust username used to determine the proxy destination?
El 24/11/14 a las 17:21, Andy Dills escribió:
I'm in a fairly standard cluster environment: shared storage, bunch of
servers each acting as both proxies and backends.
We do /bin/checkpassword authentication, allowing a great deal of
flexibility...protection against brute force, billing mechanisms, but
relevant to this issue, I have it set up to allow users to login with
either their username (if they are in one of our default domains) or their
email address.
I'm realizing now that as a consequence of this, joe andj...@xecu.net
are unique as far as dovecot is concerned. Users who login with just their
username (and not the full email address) can get assigned to a different
backend server than when they login with the full email address (which
would also include LMTP deliveries). This has been happening for years, a
few broken indexes here and there that seem to resolve themselves, so it
hasn't been impacting the service, but I'd like to correct it properly.
Is there a way to manipulate this? For example, if I moved the
authentication to the proxy layer (it's currently proxy=y nopassword=y),
and set $ENV{USER} to the full email address, will director use that for
selection instead of the user-supplied username?
I'm open to suggestions on how best to accomplish this.
I had a similar problem using director. The solution was
director_username_hash = %n
but I don't know if there is a equivalent solution for proxys
HTH
Possible to adjust username used to determine the proxy destination?
I'm in a fairly standard cluster environment: shared storage, bunch of
servers each acting as both proxies and backends.
We do /bin/checkpassword authentication, allowing a great deal of
flexibility...protection against brute force, billing mechanisms, but
relevant to this issue, I have it set up to allow users to login with
either their username (if they are in one of our default domains) or their
email address.
I'm realizing now that as a consequence of this, joe and j...@xecu.net
are unique as far as dovecot is concerned. Users who login with just their
username (and not the full email address) can get assigned to a different
backend server than when they login with the full email address (which
would also include LMTP deliveries). This has been happening for years, a
few broken indexes here and there that seem to resolve themselves, so it
hasn't been impacting the service, but I'd like to correct it properly.
Is there a way to manipulate this? For example, if I moved the
authentication to the proxy layer (it's currently proxy=y nopassword=y),
and set $ENV{USER} to the full email address, will director use that for
selection instead of the user-supplied username?
I'm open to suggestions on how best to accomplish this.
Thanks,
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
Re: Possible to adjust username used to determine the proxy destination?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 24 Nov 2014, Andy Dills wrote:
I'm in a fairly standard cluster environment: shared storage, bunch of
servers each acting as both proxies and backends.
We do /bin/checkpassword authentication, allowing a great deal of
flexibility...protection against brute force, billing mechanisms, but
relevant to this issue, I have it set up to allow users to login with
either their username (if they are in one of our default domains) or their
email address.
I'm realizing now that as a consequence of this, joe and j...@xecu.net
are unique as far as dovecot is concerned. Users who login with just their
username (and not the full email address) can get assigned to a different
backend server than when they login with the full email address (which
would also include LMTP deliveries). This has been happening for years, a
few broken indexes here and there that seem to resolve themselves, so it
hasn't been impacting the service, but I'd like to correct it properly.
Can return Dovecot Extra Fields as describes in:
http://wiki2.dovecot.org/AuthDatabase/CheckPassword
? userdb_user should change the username.
Is there a way to manipulate this? For example, if I moved the
authentication to the proxy layer (it's currently proxy=y nopassword=y),
and set $ENV{USER} to the full email address, will director use that for
selection instead of the user-supplied username?
Dunno
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVHQtRXz1H7kL/d9rAQIK+Af/XxO7G4IqGMUW0vv7alg778x+hipYrz8G
lIIfHdEGhmWcniiqKdVvkA+/UhsWTfjz9ZDaVt/aYRqAXBrXvMZEjntD9cyssz6D
rxBdKyQR5bVPOSFBJPOkg/CnRznTsFt8LY4T+OEO59vljyzNXi5um1ehtgsOqYsL
5iB+oO/oBkwObewpHRQFasjoA/lV1k2kJ5YA+Jsb5/+EgF8A78ZrSbQ6XEES89YD
o9MZQUmWUVvAHn7plWd4aC3OoCmZV49Oq/q8su2x0fP4jkzIyGDOxre5CJ2uN6s6
tFb2Qo6Ns8ZKf5Zh26BV0mKpSGcfK4KOQW7hyFkdC1i4KnujMNxjoA==
=TMrx
-END PGP SIGNATURE-
