dovecot.pkoch at dfgh.net
2014-May-03 12:32 UTC
[Dovecot] %{orig_user} missing in checkpassword-Script
Dear dovecot maintainers:
I'm using SSL client certificates together with a checkpassword scripts
to authenticate our users.
My problem is: In the checkpassword script the AUTH_USER environment
variable will either contain the username that was configured in the
mailclient (if auth_ssl_username_from_cert=false) or the username
from the certificate (if auth_ssl_username_from_cert=true).
I would like to compare both values, i.e. the %{user} Dovecot-variable
and the %{orig_user} Dovecot-variable. But the environment of a
checkpassword-script has only one of them.
I tried myself and found the following:
- the environment of a checkpassword script is setup by
checkpassword_setup_env() in db-checkpassword.c
- checkpassword_setup_env() calls env_put_auth_vars()
- env_put_auth_vars() creates AUTH_xxx environment variables for all
entries of the auth_request_get_var_expand_table()
- the auth_request_get_var_expand_table_full() routine does not contain the
original user, but the auth_request-struct does.
So I changed the dovecot sourcecode (version 2.2.12) as follows
In src/auth/auth-request.h line 152 I replaced
#define AUTH_REQUEST_VAR_TAB_COUNT 27
by
#define AUTH_REQUEST_VAR_TAB_COUNT 30
In src/auth/auth-request.c around line 2027 I replaced the
following lines at the end of auth_request_var_expand_static_tab
{ '\0', NULL, "session_pid" },
/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
{ '\0', NULL, NULL }
};
by
{ '\0', NULL, "session_pid" },
{ '\0', NULL, "orig_user" },
{ '\0', NULL, "orig_username" },
{ '\0', NULL, "orig_domain" },
/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
{ '\0', NULL, NULL }
};
In src/auth/auth-request.c around line 2116 I replaced the
following lines at the end of function
auth_request_get_var_expand_table_full()
tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
dec2str(auth_request->session_pid);
return ret_tab;
by
tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
dec2str(auth_request->session_pid);
if (auth_request->original_username != NULL) {
tab[27].value escape_func(auth_request->original_username,
auth_request);
tab[28].value
escape_func(t_strcut(auth_request->original_username, '@'),
auth_request);
tab[29].value = strchr(auth_request->original_username,
'@');
if (tab[29].value != NULL) {
tab[29].value = escape_func(tab[29].value+1,
auth_request);
}
}
return ret_tab;
This will add AUTH_ORIG_USER, AUTH_ORIG_USERNAME and AUTH_ORIG_DOMAIN
environment variables to the environment of every checkpassword script.
If this is the correct way to extend the environment of a
chackpassword-script
then you might consider adding these minor changes to the dovecot-source.
Kind regards and thanks very much for this wonderful project
Peter Koch
Timo Sirainen
2014-May-05 11:29 UTC
[Dovecot] %{orig_user} missing in checkpassword-Script
OK, added: http://hg.dovecot.org/dovecot-2.2/rev/1e099feb1dea On 3.5.2014, at 15.32, dovecot.pkoch at dfgh.net wrote:> Dear dovecot maintainers: > > I'm using SSL client certificates together with a checkpassword scripts > to authenticate our users. > > My problem is: In the checkpassword script the AUTH_USER environment > variable will either contain the username that was configured in the > mailclient (if auth_ssl_username_from_cert=false) or the username > from the certificate (if auth_ssl_username_from_cert=true). > > I would like to compare both values, i.e. the %{user} Dovecot-variable > and the %{orig_user} Dovecot-variable. But the environment of a > checkpassword-script has only one of them. > > I tried myself and found the following: > - the environment of a checkpassword script is setup by > checkpassword_setup_env() in db-checkpassword.c > - checkpassword_setup_env() calls env_put_auth_vars() > - env_put_auth_vars() creates AUTH_xxx environment variables for all > entries of the auth_request_get_var_expand_table() > - the auth_request_get_var_expand_table_full() routine does not contain the > original user, but the auth_request-struct does. > > So I changed the dovecot sourcecode (version 2.2.12) as follows > > In src/auth/auth-request.h line 152 I replaced > #define AUTH_REQUEST_VAR_TAB_COUNT 27 > by > #define AUTH_REQUEST_VAR_TAB_COUNT 30 > > In src/auth/auth-request.c around line 2027 I replaced the > following lines at the end of auth_request_var_expand_static_tab > > { '\0', NULL, "session_pid" }, > /* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */ > { '\0', NULL, NULL } > }; > > by > > { '\0', NULL, "session_pid" }, > { '\0', NULL, "orig_user" }, > { '\0', NULL, "orig_username" }, > { '\0', NULL, "orig_domain" }, > /* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */ > { '\0', NULL, NULL } > }; > > In src/auth/auth-request.c around line 2116 I replaced the > following lines at the end of function > auth_request_get_var_expand_table_full() > > tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL : > dec2str(auth_request->session_pid); > return ret_tab; > > by > > tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL : > dec2str(auth_request->session_pid); > if (auth_request->original_username != NULL) { > tab[27].value > escape_func(auth_request->original_username, auth_request); > tab[28].value > escape_func(t_strcut(auth_request->original_username, '@'), auth_request); > tab[29].value = strchr(auth_request->original_username, > '@'); > if (tab[29].value != NULL) { > tab[29].value = escape_func(tab[29].value+1, > auth_request); > } > } > return ret_tab; > > This will add AUTH_ORIG_USER, AUTH_ORIG_USERNAME and AUTH_ORIG_DOMAIN > environment variables to the environment of every checkpassword script. > > If this is the correct way to extend the environment of a > chackpassword-script > then you might consider adding these minor changes to the dovecot-source. > > Kind regards and thanks very much for this wonderful project > > Peter Koch