On 2010-02-22 at 14:14 -0800, Ernie Dunbar wrote:
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
>
> server_condition = "${if and { \
> {!eq{$2}{}} \
> {!eq{$3}{}} \
> {crypteq{$3}{${lookup mysql{SELECT password FROM mailbox WHERE
> username='${quote_mysql:$2}' }{$
> value}fail}} }} {yes}{no}}"
> server_set_id = $2
>
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = "${if and { \
> {!eq{$2}{}} \
> {!eq{$3}{}} \
> {crypteq{$3}{${lookup mysql{SELECT password FROM mailbox WHERE
> username='${quote_mysql:$2}' }{$
> value}fail}} }} {yes}{no}}"
> server_set_id = $1
There's the problem.
In PLAIN, there are three parts to the authentication, the first
typically empty (the authorisation id field, not the authentication id
field).
In LOGIN, there are only two.
So for the login: driver, you use "server_set_id = $1" which differs,
but if you look at the server_condition option, you haven't mapped $2 to
$1 and $3 to $2.
So you're looking up the password based on an SQL query where the
username field must equal the supplied password. But because you set
the user id field correctly, you see the supplied usercode in the logs.
Oh, and it's a little clearer if you use $auth2 instead of $2.
-Phil
