Added basically this: http://hg.dovecot.org/dovecot-2.2/rev/d60aa734c72d
Hopefully I didn't break peoples' authentications too much. :) On 30.1.2013, at 15.49, Timo Sirainen <[email protected]> wrote: > On 19.12.2012, at 0.24, Ben Morrow <[email protected]> wrote: > >>> Also there are already "deny" and "pass" settings. Interaction with them >>> can be somewhat confusing.. Maybe all of these should be replaced with: >>> >>> type=deny: Same as old deny=yes (deny auth if user is in list) >>> type=precondition(?): Same as pass=yes (require another passdb to match) >>> type=postcondition(?): Require user to exist in this passdb/userdb as >>> well, adding any extra fields in it. >>> type=add: Add any extra fields, if the user exists at all. >> >> This sounds like the nsswitch.conf [notfound=continue] stuff, perhaps >> you could use those names? >> >> Status >> success entry found >> notfound entry definitely not found >> tryagain database temporarily unavailable >> unavail database not responding (an error of some kind) > > I wonder what's the difference between tryagain and unavail. Sounds like the > same thing to me. > >> Action >> return return the current result >> continue try the next db and accumulate fields >> >> with defaults of >> >> success = return >> notfound = continue >> tryagain = continue >> unavail = continue >> >> You could potentially add other actions, like 'retry' which waits a bit >> and retries. Some sort of 'tempfail' action, which returns temporary >> failure to the client, would be good, but I don't think IMAP supports >> that, unless you just drop the connection and assume the client will >> reconnect and retry. > > Hmm. I guess this would work, with defaults: > > passdb { > skip = never > success = return-ok > notfound = continue > unavail = continue > } > > The possible values for skip: > - never: always do this passdb lookup > - authenticated: skip if user is already authenticated by a previous passdb > - unauthenticated: skip if user isn't authenticated > > The possible values for success/notfound/unavail: > - return, return-ok, return-fail > - continue, continue-ok, continue-fail > > where return/continue preserves the success-status without changing it, while > the -ok and -fail variants change the success-status. The default status is > fail, only return-ok / continue-ok changes that. > > So: > > - deny=yes would be success=return-fail. > > - pass=yes would be success=continue (or continue-fail, but usually that > would be the same) > > - Two passdbs, second one adding extra fields: > > a) require user to be in both: passdb { success = continue }, passdb { skip = > unauthenticated } > b) don't require user in the second: passdb { success = continue-ok }, passdb > { skip = unauthenticated } > > - 3 passdbs, with first two authenticating and last one adding extra fields: > > passdb { success = continue }, passdb { success = continue skip = > authenticated }, passdb { skip = unauthenticated } > > I think you can do pretty much any wanted combination with these. Also. I > think result_ prefix would be good, too lazy to update the rest of the mail > now. So result_success, result_notfound and result_unavail. >
