Included is a patch against 1.5.3 for passing the user supplied password to
auth_mysql_getuserinfo() for the purpose of using the supplied password
in a custom WHERE clause, specifically:
.
.
DEFAULT_DOMAIN foo.com
MYSQL_LOGIN_FIELD username
MYSQL_CLEAR_PWFIELD value
.
.
.
.
MYSQL_SELECT_CLAUSE SELECT \
username,"",value,uid,gid,home,maildir,"","" \
FROM radcheck WHERE username = '$(local_part)' AND \
value = '$(authpass)'
This complements Pawel Wilk's courier-imap-myownquery.patch by allowing
authentication without requiring users to use their full
username@domain. Although all modern MUAs now support it, it's just
easier for the user and our support staff. I've seen others wish for
this so I'm sharing it.
We enforce 'username AND value' uniqueness on our front end. As a
reminder however, an unusually aware user could realize what's going on
when they try to set a password and are told that it's invalid. They
could, if it occured to them, then login as the other user who already
has the same password. I leave it to you to weigh the benefits of this
patch against the chances of two users with the same username choosing
the same password and one of them having clue enough to pull it off.
There aren't many of those users out there though and if you had
clued users then this patch wouldn't be necessary in the first place. :)
Note that DEFAULT_DOMAIN must be set, but any domain will do since it's
stripped anyway. (I can't get get_localpart() to return a username when
there is no domain.)
This is MySQL only because no one has ported Pawel's patch to
PostgreSQL. I may attempt it when the need arises. I also don't expect
my patch to be merged, since it's probably too much of a change to
authmysqllib's design - that and I'm sure the code sucks. :)
Comments, suggestions and improvements welcome.
-Jeremy
--
-----------------------------------------------------------------------
Jeremy Shaffner | This space for rent.
[EMAIL PROTECTED] | $ grep happiness life
PGP KeyID 0x594A8158 or finger above addy | FreeBSD: The Power to Serve
"Obscurity is the refuge of incompetence." - R.A. Heinlein, SIASL
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
