This is probably due to my newbieness, but anyway.
Basically, I want to authenticate some users using a method, and other users
using a different method (both for plain and login authenticators, though I'll
only use login in the examples). I have a list of domains called
special_domains, and for each domain in the list I have a file under
/etc/special, and each file contains lines of the form username:password. So
for example for domain xxx.yyy, I have this in the file /etc/special/xxx.yyy:
someuser:somepassword
user2:blah
anotheruser:anotherpassword
and the same for the other special domains. So my idea is to use those files
to authenticate users whose username is <anuser>@<one of the special domains>,
and use a different mean to authenticate all other users.
I tried two different approaches, both are failing (details later).
special_domains is defined as
domainlist special_domains = dsearch;/etc/special
First try:
server_condition = ${if match_domain{${domain:$auth1}}{+special_domains} \
{${if eq{$auth2}{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:
$auth1}}}}{1}{0}} } \
{${if eq{$auth2}{a}{1}{0}}} \
}
(the alternative authentication for now just checks that the password is "a";
of course that will change when the whole thing is working)
second try:
server_condition = ${if match_domain{${domain:$auth1}}{+special_domains} \
{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:$auth1}} \
{${if eq {$auth2}{$value}{1}{0}}}{0}} } \
{ ${if eq{$auth2}{a}{1}{0}} } \
}
The idea in both is: if the username is user2@??? (or another special
domain username), look it up in /etc/special/xxx.yyy and check that the
supplied password matches the password in there (blah in this case); otherwise
(not a special domain user), check that the password is "a" (as I said, this
will change once it's working, but for now it just demonstrates the problem).
This is what I see in the log when the username belongs to a specialdomain and
the password is correct:
734 login authenticator:
734 $auth1 = user2@???
734 $auth2 = blah
734 $1 = user2@???
734 $2 = blah
734 expanding: $auth1
734 result: user2@???
734 expanding: $auth1
734 result: user2@???
734 expanding: Authenticating $auth1 $auth2 (${domain:$auth1} ${local_part:
$auth1})
734 result: Authenticating user2@??? blah (xxx.yyy user2)
734 Authenticating user2@??? blah (xxx.yyy user2)
734 expanding: $auth1
734 result: user2@???
734 expanding: ${domain:$auth1}
734 result: xxx.yyy
734 expanding: +special_domains
734 result: +special_domains
734 search_open: dsearch "/etc/special"
734 search_find: file="/etc/special"
734 key="xxx.yyy" partial=-1 affix=NULL starflags=0
734 LRU list:
734 5/etc/special
734 End
734 internal_search_find: file="/etc/special"
734 type=dsearch key="xxx.yyy"
734 file lookup required for xxx.yyy
734 in /etc/special
734 lookup yielded: xxx.yyy
734 xxx.yyy in "dsearch;/etc/special"? yes (matched "dsearch;/etc/special")
734 xxx.yyy in "+special_domains"? yes (matched "+special_domains")
734 condition: match_domain{${domain:$auth1}}{+special_domains}
734 result: true
734 expanding: $auth2
734 result: blah
734 expanding: $auth1
734 result: user2@???
734 expanding: ${local_part:$auth1}
734 result: user2
734 expanding: $auth1
734 result: user2@???
734 expanding: /etc/special/${domain:$auth1}
734 result: /etc/special/xxx.yyy
734 search_open: lsearch "/etc/special/xxx.yyy"
734 search_find: file="/etc/special/xxx.yyy"
734 key="user2" partial=-1 affix=NULL starflags=0
734 LRU list:
734 ;/etc/special/xxx.yyy
734 5/etc/special
734 End
734 internal_search_find: file="/etc/special/xxx.yyy"
734 type=lsearch key="user2"
734 file lookup required for user2
734 in /etc/special/xxx.yyy
734 lookup yielded: blah
734 expanding: ${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:
$auth1}}}
734 result: blah
734 condition: eq{$auth2}{${lookup{${local_part:
$auth1}}lsearch{/etc/special/${domain:$auth1}}}}
734 result: true
734 expanding: 1
734 result: 1
734 expanding: 0
734 result: 0
734 skipping: result is not used
734 expanding: ${if eq{$auth2}{${lookup{${local_part:
$auth1}}lsearch{/etc/special/${domain:$auth1}}}}{1}{0}}
734 result: 1
734 expanding: $auth2
734 result: blah
734 skipping: result is not used
734 expanding: a
734 result: a
734 skipping: result is not used
734 condition: eq{$auth2}{a}
734 result: false
734 expanding: 1
734 result: 1
734 skipping: result is not used
734 expanding: 0
734 result: 0
734 skipping: result is not used
734 expanding: ${if eq{$auth2}{a}{1}{0}}
734 result: 0
734 skipping: result is not used
734 expanding: ${if match_domain{${domain:$auth1}}{+special_domains} {${if
eq{$auth2}{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:
$auth1}}}}{1}{0}} } {${if eq{$auth2}{a}{1}{0}}} }
734 result: 1
734 expanded string: 1
734 expanding: $auth1
734 result: user2@???
734 SMTP>> 435 Unable to authenticate at present: 1
734 LOG: MAIN REJECT
734 login authenticator failed for client.xxx.yyy (there) [172.20.0.5]:
435 Unable to authenticate at present (set_id=user2@???): 1
With the second form of server_condition above, I similarly get:
...
743 expanding: ${if match_domain{${domain:$auth1}}{+special_domains}
{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:$auth1}} {${if eq
{$auth2}{$value}{1}{0}}}{0}} } { ${if eq{$auth2}{a}{1}{0}} } }
743 result: 1
743 expanded string: 1
743 expanding: $auth1
743 result: user2@???
743 SMTP>> 435 Unable to authenticate at present: 1
743 LOG: MAIN REJECT
743 login authenticator failed for client.abc.def (there) [172.20.0.5]:
435 Unable to authenticate at present (set_id=user2@???): 1
I get a similar outcome if I try to authenticate with a non-special_domains
user (where the second branch of the outer if should be evaluated) and
password "a".
So am I reading that correctly? The overall result of the expansion of
server_condition is 1, but authentication fails?
On the client I see: 435 Unable to authenticate at present: 1
I'm sure I'm missing something here. Any help would be greatly appreciated.
