-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi-auth. provider / using separate DBs for usernames and passwords. #56
Comments
Another thing is that users may want to have different storage associated with accounts coming from different auth. backends. Currently, authentication is fully separate from storage and we have the concept of "auth account" and "storage account". This makes it difficult to build some sort of association. We can allow authentication modules to return some kind of "association tag", which could then be consumed by storage backend. SMTP, Pipeline: Allow branching directives to inspect association tag created by authentication provider (using syntax described in #32):
Approach A: Extend authentication provider interface: type AuthProvider interface {
CheckPlain(username, password) (associationTag string, err error)
} Extend storage IMAP interface in similar way: type StorageBackend interface {
GetUser(assocationTag, username, password string) (backend.User, error)
} Then implement |
Approach B: Move dispatching logic to the upper level. Do all dispatching at the endpoint (or pipeline) module level, using auth. provider instance names as "association tags".
Side-note: Common auth expressions can be factored out into a snippet:
Or we might want to allow specificing auth directive at top level. Okay, I think Approach B is more clear and Approach A basically ruins all existing abstractions, while B builds on them. |
Side note: Not all PAM modules differentiate between "user doesn't exist" and "invalid password" so this setup may be problematic in reality. |
Also this needs extension of config.Map to allow multiple values for directives. |
I remember having a use-case where I wanted to give email accounts to all PAM users but use passwords from a separate database. And also people on IRC channels for dovecot and postfix often ask questions regarding weird mixes of authentication data sources. So I guess we should have a generic tool to handle such cases.
We create the
multi
module that implements authentication provider interface (so it can be used in SMTP, IMAP, etc):user
directive here refers to a module implementing the following interface:pass
directive refers to an authentication provider.If there is at least one
user
directive - then at least one "userdb" module should say that the user exists.Then the user password is also checked against providers listed using
pass
directives, at least one provider should accept the password.multi
module itself also implements the UserDB interface, this allows mixing things together in more complicated use-cases to get the right results.The text was updated successfully, but these errors were encountered: