diff --git a/data/updates.js b/data/updates.js index 11919c70b..2a14ac912 100644 --- a/data/updates.js +++ b/data/updates.js @@ -18,6 +18,7 @@ export const updates = { crypt_des_md5_schemes: '2.4.0', auth_client_common_secured: '2.4.0', auth_imap_arg_configuration_removed: '2.4.0', + auth_lua_string_response_removed: '2.4.1', auth_nss: '2.3.0', auth_oauth2_no_passdb_changed: '2.4.0', auth_policy_fail_type: '2.4.0', diff --git a/docs/core/config/auth/databases/lua.md b/docs/core/config/auth/databases/lua.md index b929d3e5b..bd3340a07 100644 --- a/docs/core/config/auth/databases/lua.md +++ b/docs/core/config/auth/databases/lua.md @@ -111,6 +111,10 @@ Logs warning message. ##### `auth_request#response_from_template(template)` +[[removed,auth_lua_string_response_removed]] This was a bit unsafe +function. Return the table instead with the necessary +`auth_request#var_expand()` calls. + Takes in `key=value` template and expands it using `var_expand()` and produces table suitable for passdb result. @@ -204,7 +208,7 @@ passdb lua { If `auth_password_verify` is found, it's always used. By default, dovecot runs Lua scripts in auth-worker processes. If you do not -want this, you can disable blocking, and Lua script will be run in auth +want this, you can disable using worker, and Lua script will be run in auth process. This can degrade performance if your script is slow or makes external lookups. @@ -216,25 +220,29 @@ Lua passdb supports two modes of function: Function signature is `auth_passdb_lookup(request)`. -Function must return a tuple, which contains a return code, and also -additionally a string or table. +Function must return a tuple, which contains: + * `dovecot.auth.PASSDB_RESULT_OK` and extra fields table + * `dovecot.auth.PASSDB_RESULT_*` error and error string -Table must be in key-value format, as it will be imported into auth request. +The extra fields table must be in key-value format, as it will be imported into +auth request. -The string must be in `key=value` format, except if return code indicates -internal error, the second parameter can be used as error string. +[[removed,auth_lua_string_response_removed]] String can no longer be returned +for `PASSDB_RESULT_OK`. #### Password Verification Database Function signature is `auth_password_verify(request, password)`. -Function must return a tuple, which contains a return code, and also -additionally a string or table. +Function must return a tuple, which contains: + * `dovecot.auth.PASSDB_RESULT_OK` and extra fields table + * `dovecot.auth.PASSDB_RESULT_*` error and error string -Table must be in key-value format, as it will be imported into auth request. +The extra fields table must be in key-value format, as it will be imported into +auth request. -The string must be in `key=value` format, except if return code indicates -internal error, the second parameter can be used as error string. +[[removed,auth_lua_string_response_removed]] String can no longer be returned +for `PASSDB_RESULT_OK`. ## userdb @@ -242,7 +250,8 @@ To configure userdb in dovecot, use: ```[dovecot.conf] userdb lua { - args = file=/path/to/lua blocking=yes # default is yes + lua_file = /path/to/lua + use_worker = yes # default is yes } ``` @@ -254,13 +263,15 @@ Lua userdb supports both single user lookup and iteration. Function signature is `auth_userdb_lookup(request)`. -The function must return a tuple, which contains a return code, and also -additionally a string or table. +Function must return a tuple, which contains: + * `dovecot.auth.USERDB_RESULT_OK` and extra fields table + * `dovecot.auth.USERDB_RESULT_*` error and error string -Table must be in key-value format, as it will be imported into auth request. +The extra fields table must be in key-value format, as it will be imported into +auth request. -The string must be in key=value format, except if return code indicates -internal error, the second parameter can be used as error string. +[[removed,auth_lua_string_response_removed]] String can no longer be returned +for `USERDB_RESULT_OK`. #### User Iteration @@ -277,14 +288,14 @@ The iteration will hold the whole user database in memory during iteration. ```lua:line-numbers function auth_passdb_lookup(req) if req.user == "testuser1" then - return dovecot.auth.PASSDB_RESULT_OK, "password=pass" + return dovecot.auth.PASSDB_RESULT_OK, { password = "pass" } end return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user" end function auth_userdb_lookup(req) if req.user == "testuser1" then - return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail" + return dovecot.auth.USERDB_RESULT_OK, { uid = "vmail", gid = "vmail" } end return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user" end @@ -319,12 +330,12 @@ function auth_passdb_lookup(req) for user, pass in string.gmatch(line, "(%w+)%s(.+)") do if (user == req.username) then -- you can add additional information here, like userdb_uid - return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass + return dovecot.auth.PASSDB_RESULT_OK, { password = pass } end end end - return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "" + return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN end ``` @@ -349,18 +360,18 @@ function auth_passdb_lookup(req) res = db_lookup(req.username) if res.result == 0 then -- you can add additional information here for passdb - return dovecot.auth.PASSDB_RESULT_OK, "password=" .. res.password + return dovecot.auth.PASSDB_RESULT_OK, { password = res.password } end - return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "" + return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN end function auth_userdb_lookup(req) res = db_lookup(req.username) if res.result == 0 then -- you can add additional information here for userdb, like uid or home - return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail" + return dovecot.auth.USERDB_RESULT_OK, { uid = "vmail, gid = "vmail" } end - return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "" + return dovecot.auth.USERDB_RESULT_USER_UNKNOWN end function auth_userdb_iterate()