bug-mailutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-mailutils] mu_authenticate?

From: Sergey Poznyakoff
Subject: Re: [bug-mailutils] mu_authenticate?
Date: Mon, 28 Sep 2009 13:48:12 +0300 
Simon Josefsson <address@hidden> ha escrit:

> SCRAM-SHA-1.  However I cannot login using LOGIN/PLAIN.

Probably, you have not configured the `gsasl' statement in your
configuration file. See its short description in `imap4d --config-help'
output.

> GSASL_VALIDATE_SIMPLE callback is imap4d/auth_gsasl.c:cb_validate that
> does:
[...]
> What is the purpose of the code?  Is the intention that it MUST be run
> for every user regardless of authentication method?

No, of course not. It must be run only in the validation callback.
Its purpose is as follows:

>   auth = mu_get_auth_by_name (*username);

This returns a pointer to a structure containing the information about
this account, or NULL if no such account exists. This function is a MU
counterpart of getpwnam(3). The difference is that it looks the user
up in the MU authorization database, as set by the `auth' statement
(http://www.gnu.org/software/mailutils/manual/html_node/Auth-Statement.html),
and that the resulting structure contains some more information about
the account.

>   if (auth == NULL)
>     return GSASL_AUTHENTICATION_ERROR;

If there are no such user, report error.

>   rc = mu_authenticate (auth, pass);

The mu_authenticate function verifies if password (pass) matches that
stored in the `auth' structure. The authentication mechanism is
configured by the `auth' configuration statement.

>   mu_auth_data_free (auth);

The `auth' structure is freed.

>   return rc == 0 ? GSASL_OK : GSASL_AUTHENTICATION_ERROR;

The return from mu_authenticate determines that of the callback
function.

> Btw, the name of cram-passwd is a bit wrong now that it is also used for
> non-CRAM mechanisms.  I'm not sure it is worthwhile to rename it.

It is definititely worth it. Thanks for pointing that out.

> Btw^2, maybe a cleaner approach is to add a function mu_gsasl_getpass,
> similar to mu_sql_getpass and use that?

Yes, perhaps. I am now thinking about clearer ways to organize the
auth stuff. I'll probably use this idea too.

> I suspect (hope) that mu_authenticate need not be called for all users
> unconditionally, and in that case, the patch below makes LOGIN/PLAIN
> work for passwords stored in cram-passwd and SQL format.

I'll try this. Thank you.

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]