This is, perhaps, a strange thing to want to do, but I have reasons.
My dovecot auth is provided by data retrieved from SQL, so far normal. My passwords are in the appropriate format of {scheme}data, so that's fine.
The problem starts when I have two users with the same username. When I do that I get this error:
auth-worker(32489): Error: sql(__variables__): Password query returned multiple matches
Well fudge. Any thoughts on how I can get around that?
- I considered using the %w variable to filter the sql results, but since the passwords might be in different schemes I can't do a straight test.
- I considered using the %w variable and a stored procedure to find the right result, but then I'd have to do all the hashing in sql and that's a bad time.
- I can make multiple different logins share the same maildir to get the retrieval part to behave the same, but creating more usernames is what I don't want to do.
The reasons I mentioned? I have two use cases:
- Email logins modelled to look more like API keys. Create a username but have a separate password for each client connecting to it, if one gets compromised you can revoke it without having to change all the logins.
- Different non-plaintext auth mechanisms have different intermediate products. Instead of storing the plain text you can store the intermediates. For the sake of example, you could store a value for the CRAM-MD5, SHA256 and OTP schemes.
Any clean way to make this work?