Re: [Dovecot] auth_cache multiple passwords ?
On Tue, 2009-06-16 at 14:06 +0200, Geoffroy Desvernay wrote: > > The only usable solution I see is to disable negative auth caching and > > use this patch from v1.2: > > http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a > > > Thank you ! > > I compiled 1.1.16 with this patch (applied manually). > > If I understand what it does (I'm not sure at all), It just allow > disabling negative caching of wrong passwords, but it doesn't allow to > cache multiple passwords for one 'cache_key', am I right ? Right. > In my test-case, this patch allows the webmail to work, getting a new > ticket for each IMAP connection (1 login failure then login success with > a new ticket) in case of concurrent connections with a same login. (the > last who clicks kicks out others from the cache) > > I think dovecot understands this as a 'password change', and this > behaviour seems correct for all but this case :( You did set auth_cache_negative_ttl=0, right? It should have worked then, because whenever authentication from cache fails Dovecot ignores whatever is in the cache and does another passdb lookup. > How difficult would it be to keep cached more than one password by key ? Way too difficult. But it's not necessary to get your system working. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] auth_cache multiple passwords ?
Timo Sirainen a écrit : > On Jun 12, 2009, at 9:45 AM, Geoffroy Desvernay wrote: > >> For a single webmail connection per login, it work, thanks to cache_key >> using client's IP. >> >> But for multiple use of the same login in the webmail, there are more >> than one 'password' valid at a time… >> >> What may be the 'correct' solution: > > The only usable solution I see is to disable negative auth caching and > use this patch from v1.2: > http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a > Thank you ! I compiled 1.1.16 with this patch (applied manually). If I understand what it does (I'm not sure at all), It just allow disabling negative caching of wrong passwords, but it doesn't allow to cache multiple passwords for one 'cache_key', am I right ? In my test-case, this patch allows the webmail to work, getting a new ticket for each IMAP connection (1 login failure then login success with a new ticket) in case of concurrent connections with a same login. (the last who clicks kicks out others from the cache) I think dovecot understands this as a 'password change', and this behaviour seems correct for all but this case :( How difficult would it be to keep cached more than one password by key ? -- *Geoffroy Desvernay* C.R.I - Administration systèmes et réseaux Ecole Centrale de Marseille Tel: (+33|0)4 91 05 45 24 Fax: (+33|0)4 91 05 45 98 d...@centrale-marseille.fr signature.asc Description: OpenPGP digital signature
Re: [Dovecot] auth_cache multiple passwords ?
Timo Sirainen a écrit : > On Jun 12, 2009, at 9:45 AM, Geoffroy Desvernay wrote: > >> For a single webmail connection par login, it work, thanks to cache_key >> using client's IP. >> >> But for multiple use of the same login in the webmail, there are more >> than one 'password' valid at a time… >> >> What may be the 'correct' solution: > > The only usable solution I see is to disable negative auth caching and > use this patch from v1.2: > http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a > I'll try to patch 1.1.16 with this patch and report here, thanks ! signature.asc Description: OpenPGP digital signature
Re: [Dovecot] auth_cache multiple passwords ?
On Jun 12, 2009, at 9:45 AM, Geoffroy Desvernay wrote: For a single webmail connection par login, it work, thanks to cache_key using client's IP. But for multiple use of the same login in the webmail, there are more than one 'password' valid at a time… What may be the 'correct' solution: The only usable solution I see is to disable negative auth caching and use this patch from v1.2: http://hg.dovecot.org/dovecot-1.2/rev/8a23ab43132a
[Dovecot] auth_cache multiple passwords ?
Hi, First, thanks Timo and Stefan for this great IMAP/Sieve implementation... We are using 1.1.16+cmu_sieve/managesieve additions for now (following releases since ~ 1.0.1). We have a specific problem here with auth-cache: We use direct imap/sieve connection from different clients, using LDAP password: everything is fine. The problem appears with our webmail access using a web-SSO system (jasig's CAS), using one-time-tickets as password for imap connections (checked by pam_cas module for now). For a single webmail connection par login, it work, thanks to cache_key using client's IP. But for multiple use of the same login in the webmail, there are more than one 'password' valid at a time… What may be the 'correct' solution: - patching auth-cache.c (auth_cache_lookup function ?) - writing a different login backend ? - ??? Hope I'm clear enough… -- geoffroy desvernay Ecole Centrale de Marseille signature.asc Description: OpenPGP digital signature