Clemens Schrimpe
2010-Nov-27 23:44 UTC
[Dovecot] (vaguely) related to: "doveadm auth user" ...
While digging through the code I remember having seen something like an (yet undocumented) "update_query" for SQL (and I guess something similar for the LDAP faction as well)?! Can that be used to augment the "doveadm pw" function to actually /set/ the password for a given user instead of just "calculating" the hash, so that an operator can copy&waste it into the respective passdb? Just curious ... I guess it would be nice to have "doveadm" become as central point of administration (yeah, yeah - we would still need a "create user" and "delete user", etc. -- but we would at least be further on our way, wouldn't we? :-) Just 2? from Clemens
Timo Sirainen
2010-Nov-30 00:28 UTC
[Dovecot] (vaguely) related to: "doveadm auth user" ...
On 27.11.2010, at 23.44, Clemens Schrimpe wrote:> While digging through the code I remember having seen something like an (yet undocumented) "update_query" for SQL (and I guess something similar for the LDAP faction as well)?!Yes, it's only for SQL though, and its primary purpose is for OTP and SKEY auth mechanisms to update the one-time-password.> Can that be used to augment the "doveadm pw" function to actually /set/ the password for a given user instead of just "calculating" the hash, so that an operator can copy&waste it into the respective passdb?I guess it could.. Of course would require that admin has set the update_query correctly. But a much more important problem would be how to do this securely. Many people have given pretty wide permissions for auth sockets, because they can't really be used for doing any harm. By adding this command it would be much worse. Perhaps yet another new socket would have to be created: auth-admin.> Just curious ... I guess it would be nice to have "doveadm" become as central point of administration (yeah, yeah - we would still need a "create user" and "delete user", etc. -- but we would at least be further on our way, wouldn't we? :-)I'm not really sure if those will ever be supported. Or perhaps as doveadm plugins / scripts for whatever tool people are using for user management. Then again, if those are done, the password changing could be done the same way. I think it's too much trouble with too little benefit at least for now.