[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-mailutils] mu_authenticate?
From: |
Sergey Poznyakoff |
Subject: |
Re: [bug-mailutils] mu_authenticate? |
Date: |
Mon, 28 Sep 2009 13:48:12 +0300 |
Simon Josefsson <address@hidden> ha escrit:
> SCRAM-SHA-1. However I cannot login using LOGIN/PLAIN.
Probably, you have not configured the `gsasl' statement in your
configuration file. See its short description in `imap4d --config-help'
output.
> GSASL_VALIDATE_SIMPLE callback is imap4d/auth_gsasl.c:cb_validate that
> does:
[...]
> What is the purpose of the code? Is the intention that it MUST be run
> for every user regardless of authentication method?
No, of course not. It must be run only in the validation callback.
Its purpose is as follows:
> auth = mu_get_auth_by_name (*username);
This returns a pointer to a structure containing the information about
this account, or NULL if no such account exists. This function is a MU
counterpart of getpwnam(3). The difference is that it looks the user
up in the MU authorization database, as set by the `auth' statement
(http://www.gnu.org/software/mailutils/manual/html_node/Auth-Statement.html),
and that the resulting structure contains some more information about
the account.
> if (auth == NULL)
> return GSASL_AUTHENTICATION_ERROR;
If there are no such user, report error.
> rc = mu_authenticate (auth, pass);
The mu_authenticate function verifies if password (pass) matches that
stored in the `auth' structure. The authentication mechanism is
configured by the `auth' configuration statement.
> mu_auth_data_free (auth);
The `auth' structure is freed.
> return rc == 0 ? GSASL_OK : GSASL_AUTHENTICATION_ERROR;
The return from mu_authenticate determines that of the callback
function.
> Btw, the name of cram-passwd is a bit wrong now that it is also used for
> non-CRAM mechanisms. I'm not sure it is worthwhile to rename it.
It is definititely worth it. Thanks for pointing that out.
> Btw^2, maybe a cleaner approach is to add a function mu_gsasl_getpass,
> similar to mu_sql_getpass and use that?
Yes, perhaps. I am now thinking about clearer ways to organize the
auth stuff. I'll probably use this idea too.
> I suspect (hope) that mu_authenticate need not be called for all users
> unconditionally, and in that case, the patch below makes LOGIN/PLAIN
> work for passwords stored in cram-passwd and SQL format.
I'll try this. Thank you.
Regards,
Sergey