I see this has been asked a few times over the years (but not in several years), and the response was along the lines of "maybe someday", so I figured I'd see if someday was here yet... I have a need to have a different default realm for different listeners. Basically, I've a bunch of different domains, and a few of them insist their users not be required to authenticate with "user at domain" and just use "user", and I'm trying to make this work without separate daemons and/or VMs. I'll be using Dovecot 2.2 (most likely 2.2.10 as provided by RHEL/CentOS 7). Thanks. If there's not a way to do this directly in Dovecot, does anybody have any suggestion that doesn't require several different VMs? -- Chris Adams <cma at cmadams.net>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10-03-15 18:20, Chris Adams wrote:> I see this has been asked a few times over the years (but not in > several years), and the response was along the lines of "maybe > someday", so I figured I'd see if someday was here yet... > > I have a need to have a different default realm for different > listeners. Basically, I've a bunch of different domains, and a few > of them insist their users not be required to authenticate with > "user at domain" and just use "user", and I'm trying to make this work > without separate daemons and/or VMs. > > I'll be using Dovecot 2.2 (most likely 2.2.10 as provided by > RHEL/CentOS 7). > > Thanks. If there's not a way to do this directly in Dovecot, does > anybody have any suggestion that doesn't require several different > VMs? >You could drop the default realm completely, and create a second passdb lookup which uses only the username part to lookup credentials. This means that, as long as you have no conflicts as usernames 'john at foo.com' vs 'john at bar.com', you'd be able to support username 'john'. When you're able to use the password in your sql WHERE statement [1] too, you could even work around that, because you'd only have mismatches when 'john at foo.com' and 'john at bar.com' have the same passphrase. [1] http://wiki2.dovecot.org/AuthDatabase/SQL#Password_verification_by_SQL_server Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJU/ywgAAoJEJPfMZ19VO/1mzQP/Anz44a5c7J6ir8mUgTVZEOn bFOrkXHkntLSruOZ9FHrMJX4RYXTSbZTe9fUUx1zDXiU7Aj2VQ6LqueXt7LFUW2Z jmPsxaHXBL8fSR8suwpzZ06/blz563Qi06HEZb2ixjITyvd3iVJCSPzVu3NLdsSH oxAE50I2vzuFHqfN9JbXD98HuEdGedhOldjlw9MsXmUFthfAYN8N4AhCgzm7G1C8 wk0909pvUAjfDuY7mJU6Q9smDBRdvP4i/aZtKrs/G1ZGq8SPbClbjwLedQy88q76 F/5DcY0M+Z2hYHEZrBQimfUByANY0YvMlQubqQ/s/lsUSD2IdDX6K3lvYKIuKNSe SHgnt9p6/yTAmX3gbsnB7fbbYQQNRrTHM8Uk8KWJhkxhWZpKt3BOoPMphMa5TCKR 9sBRZqIdN1vSd31Gu/QylKv0+zDeIXay7T+HVCf82KPHq/+zFzSZ1iR14V4TdOyz SXNprdxRik49tiAHRTSMQwRmOHDel9+guhozSJVj0ISnTCeRAC5vSvGActA3Gl8l 8aMBLDf/VyS7B+Ss0aWOs8MwIrre9oAxMa937lLc3sNh48A7uw38wJmIB6L20q2n QPlsYCm39wMgWvWi84rEhi663jBdRsZKBq+/Ou7oFHXkQmVmt1ToXw0mC5Bst9Ew y832vTrhtp1Sl2Siv1RV =KWRg -----END PGP SIGNATURE-----
On Tuesday 10 March 2015 18:38:40 Tom Hendrikx wrote:> On 10-03-15 18:20, Chris Adams wrote: > > I see this has been asked a few times over the years (but not in > > several years), and the response was along the lines of "maybe > > someday", so I figured I'd see if someday was here yet... > > > > I have a need to have a different default realm for different > > listeners. Basically, I've a bunch of different domains, and a few > > of them insist their users not be required to authenticate with > > "user at domain" and just use "user", and I'm trying to make this work > > without separate daemons and/or VMs. > > > > I'll be using Dovecot 2.2 (most likely 2.2.10 as provided by > > RHEL/CentOS 7). > > > > Thanks. If there's not a way to do this directly in Dovecot, does > > anybody have any suggestion that doesn't require several different > > VMs? > > You could drop the default realm completely, and create a second > passdb lookup which uses only the username part to lookup credentials. > This means that, as long as you have no conflicts as usernames > 'john at foo.com' vs 'john at bar.com', you'd be able to support username > 'john'.Well, I think "conflict" is the keyword here. Everybody want an e-mail address called "contact" or "office" :)> > When you're able to use the password in your sql WHERE statement [1] > too, you could even work around that, because you'd only have > mismatches when 'john at foo.com' and 'john at bar.com' have the same > passphrase. > > [1] > http://wiki2.dovecot.org/AuthDatabase/SQL#Password_verification_by_SQL_serve > r > > Tom-- Mihai B?dici http://mihai.badici.ro
Once upon a time, Tom Hendrikx <tom at whyscream.net> said:> You could drop the default realm completely, and create a second > passdb lookup which uses only the username part to lookup credentials. > This means that, as long as you have no conflicts as usernames > 'john at foo.com' vs 'john at bar.com', you'd be able to support username > 'john'.The domains I need to handle are separate telephone company ISPs, so they all want common things like "sales", so that won't work. All my users are in MySQL. Reading the docs, I see that "%l" expands to the local IP address "almost everywhere". If that's available in the userdb SQL expansion, I could write a (somewhat convoluted) SQL statement that adds a domain based on the local IP. Does that sound like it'll work? Not quite as "elegant" as just setting auth_default_realm in separate listeners, but should work I guess. -- Chris Adams <cma at cmadams.net>
Reasonably Related Threads
- Different realm for different listeners?
- Different realm for different listeners?
- Multiple passwords with sql authentication
- Realm trust between Samba AD and MIT kerberos realm
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)