static int userdb_sql_iterate_get_user(struct sql_userdb_iterate_context *ctx,
const char **user_r)
{
const char *domain;
int idx;
/* try user first */
idx = sql_result_find_field(ctx->result, "user");
if (idx == 0) {
*user_r = sql_result_get_field_value(ctx->result, idx);
return 0;
}
/* username [+ domain]? */
idx = sql_result_find_field(ctx->result, "username");
if (idx < 0) {
/* no user or username, fail */
return -1;
}
*user_r = sql_result_get_field_value(ctx->result, idx);
if (*user_r == NULL)
return 0;
domain = sql_result_find_field_value(ctx->result, "domain");
if (domain != NULL)
*user_r = t_strconcat(*user_r, "@", domain, NULL);
return 0;
}
static void sql_query_callback(struct sql_result *result,
struct passdb_sql_request *sql_request)
{
struct auth_request *auth_request = sql_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct sql_passdb_module *module = (struct sql_passdb_module *)_module;
enum passdb_result passdb_result;
const char *password, *scheme;
int ret;
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
password = NULL;
ret = sql_result_next_row(result);
if (ret >= 0)
db_sql_success(module->conn);
if (ret < 0) {
if (!module->conn->default_password_query) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query failed: %s",
sql_result_get_error(result));
} else {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query failed: %s "
"(using built-in default password_query: %s)",
sql_result_get_error(result),
module->conn->set.password_query);
}
} else if (ret == 0) {
auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB);
passdb_result = PASSDB_RESULT_USER_UNKNOWN;
} else {
sql_query_save_results(result, sql_request);
/* Note that we really want to check if the password field is
found. Just checking if password is set isn't enough,
because with proxies we might want to return NULL as
password. */
if (sql_result_find_field(result, "password") < 0 &&
sql_result_find_field(result, "password_noscheme") < 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query must return a field named "
"'password'");
} else if (sql_result_next_row(result) > 0) {
auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
"Password query returned multiple matches");
} else if (auth_request->passdb_password == NULL &&
!auth_fields_exists(auth_request->extra_fields, "nopassword") &&
!auth_fields_exists(auth_request->extra_fields, "noauthenticate")) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"Empty password returned without nopassword");
passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
} else {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
passdb_result = PASSDB_RESULT_OK;
}
}
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
sql_request->callback.lookup_credentials,
auth_request);
auth_request_unref(&auth_request);
return;
}
/* verify plain */
if (password == NULL) {
sql_request->callback.verify_plain(passdb_result, auth_request);
auth_request_unref(&auth_request);
return;
}
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, AUTH_SUBSYS_DB);
sql_request->callback.verify_plain(ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH,
auth_request);
auth_request_unref(&auth_request);
}
