[hcoop/debian/courier-authlib.git] / auth_login.3

.\"  <!-- $Id: auth_login.sgml,v 1.4 2007/07/21 20:05:53 mrsam Exp $ -->
.\"  <!-- Copyright 2004 Double Precision, Inc.  See COPYING for -->
.\"  <!-- distribution information. -->
.\"     Title: auth_login
.\"    Author: 
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\"      Date: 08/23/2008
.\"    Manual: Double Precision, Inc.
.\"    Source: Double Precision, Inc.
.\"
.TH "AUTH_LOGIN" "3" "08/23/2008" "Double Precision, Inc." "Double Precision, Inc."
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
auth_login - Validate a userid and password
.SH "SYNOPSIS"
.sp
.RS 4
.nf
#include <courierauth\.h>
.fi
.RE
.HP 18
.BI "int rc=auth_login(const\ char\ *" "service" ", const\ char\ *" "userid" ", const\ char\ *" "password" ", int\ " "(*callback_func)" "(struct\ authinfo\ *,\ void\ *), void\ *" "callback_arg" ");"
.SH "DESCRIPTION"
.PP

\fBauth_login\fR
verifies whether
\fIuserid\fR
exists, and whether it\'s
\fIpassword\fR
is correct\.
\fIservice\fR
specifies which so\-called "service" is being authenticated; like
\(lqimap\(rq
or
\(lqpop3\(rq\.
\fIservice\fR
may or may not be used by the Courier authentication library\'s configured back\-end module\.
.SH "RETURNS"
.PP

\fBcallback_func\fR
will be invoked if
\fBauth_login\fR
succeeds, and
\fBcallback_func\fR\'s return value becomes the return value from
\fBauth_login\fR
(which should be 0, by convention)\.
\fBcallback_func\fR
will not be invoked if an error occurs, which is reported by a non\-zero return value from
\fBauth_login\fR\. By convention, a positive return value indicates an internal, temporary failure, such as the authentication daemon process not running; a negative return value indicates that this request was processed, but it failed\.
.PP
The second argument to
\fBcallback_func\fR
will be
\fBcallback_arg\fR, which is not interpreted by this function in any way\. The first argument will be a pointer to the following structure:
.PP
\fBExample\ 1.\ struct authinfo\fR
.sp
.RS 4
.nf
struct authinfo {
	const char *sysusername;
	const uid_t *sysuserid;
	gid_t sysgroupid;
	const char *homedir;

	const char *address;
	const char *fullname;
	const char *maildir;
	const char *quota;
	const char *passwd;
	const char *clearpasswd;

	const char *options;

	} ;
.fi
.RE
.PP
Description of the above fields:
.PP
address
.RS 4
The authenticated login ID\.
.RE
.PP
sysusername
.RS 4
The authenticated account\'s userid and groupid can be looked up in the password file using
address\. If this field is
NULL, obtain the userid and the groupid from
sysuserid
and
sysgroupid\.
.RE
.PP
sysuserid
.RS 4

sysuserid
may be
NULL
if
sysusername
is initialized, otherwise it\'s a pointer to the account\'s numeric userid\.
.RE
.PP
sysgroupid
.RS 4
Account\'s numeric groupid\.
sysgroupid
is only used when
sysusername
is
NULL\.
.RE
.PP
fullname
.RS 4
This is the account\'s full name\. This field is optional, it may be
NULL\.
.RE
.PP
homedir
.RS 4
The account\'s home directory\. This field cannot be
NULL\.
.RE
.PP
maildir
.RS 4
The pathname to the account\'s mailbox\. This field is optional, it can be
NULL
in which case the default location is assumed\.
.RE
.PP
quota
.RS 4
Optional maildir quota on the account\'s mailbox (and
NULL
if no quota is set)\.
.RE
.PP
passwd
.RS 4
The account\'s encrypted password, if available\. If the account has a cleartext password defined, this field can be set to
NULL\. The encrypted password can take several formats:
.sp
.RS 4
\h'-04'\(bu\h'+03'A traditional triple\-DES crypted password, or a MD5+salt\-hashed password, as used in Linux\.
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'
\(lq{MD5}\(rq
followed by a base64\-encoded MD5 hash of the password\.
.RE
.sp
.RS 4
\h'-04'\(bu\h'+03'
\(lq{SHA}\(rq
followed by a base64\-encoded SHA1 hash of the password\.
.RE
.RE
.PP
clearpasswd
.RS 4
The account\'s cleartext password, if available\. If the account has an encrypted password defined, this field can be set to
NULL\.
.RE
.PP
options
.RS 4
A comma\-separated list of miscellaneous account options\. See below for more information\.
.RE
.SS "Account options"
.PP
Depending on the configuration of the Courier authentication library, accounts may have individual options associated with them\. If the authentication library configuration does not implement account options, the option string will be
NULL\. Otherwise it will be a comma\-separated list of
\(lq\fIoption\fR=\fIvalue\fR\(rq
settings\.
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
Note
.PP
This is the account option implementation that\'s used by Courier, Courier\-IMAP, and SqWebMail packages\. Some of the following information is obviously not applicable for a particular package\. The inapplicable bits should be obvious\.
.PP
The following options are recognized by the various Courier packages:
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
Note
.PP
The application is responsible for enforcing all the
\(lqdisabled\(rq
option\. An authentication request for service
\(lqimap\(rq, for example, will succeed provided that the userid and the password are valid, even if
\(lqdisableimap=1\(rq
is set\. The application\'s
\fBcallback_func\fR
should check for this condition, and return a negative return code\.
.PP
disableimap=\fIn\fR
.RS 4
If "n" is 1, IMAP access to this account should be disabled\.
.RE
.PP
disablepop3=\fIn\fR
.RS 4
If "n" is 1, POP3 access to this account should be disabled\.
.RE
.PP
disablewebmail=\fIn\fR
.RS 4
If "n" is 1, webmail access to this account should be disabled\.
.RE
.PP
disableshared=\fIn\fR
.RS 4
If "n" is 1, this account should not have access to shared folders or be able to share its own folders with other people\.
.RE
.PP
group=\fIname\fR
.RS 4
This account is a member of access group
\fIname\fR\. Instead of granting access rights on individual mail folders to individual accounts, the access rights can be granted to an access group
\(lqname\(rq, and all members of this group get the specified access rights\.
.sp
The access group name
\(lqadministrators\(rq
is a reserved group\. All accounts in the
administrators
group automatically receive all rights to all accessible folders\.
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
Note
This option may be specified multiple times to specify that the account belongs to multiple account groups\.
.RE
.PP
sharedgroup=\fIname\fR
.RS 4
Append "name" to the name of the top level virtual shared folder index file\. This setting restricts which virtual shared folders this account could possibly access (and that\'s on top of whatever else the access control lists say)\. See the virtual shared folder documentation for more information\.
.sp
For technical reasons, group names may not include comma, tab, "/" or "|" characters\.
.RE
.SH "SEE ALSO"
.PP

\fI\fBauthlib\fR(3)\fR\&[1],
\fI\fBauth_generic\fR(3)\fR\&[2],
\fI\fBauth_getuserinfo\fR(3)\fR\&[3],
\fI\fBauth_enumerate\fR(3)\fR\&[4],
\fI\fBauth_passwd\fR(3)\fR\&[5],
\fI\fBauth_getoption\fR(3)\fR\&[6]\.
.SH "NOTES"
.IP " 1." 4
\fBauthlib\fR(3)
.RS 4
\%authlib.html
.RE
.IP " 2." 4
\fBauth_generic\fR(3)
.RS 4
\%auth_generic.html
.RE
.IP " 3." 4
\fBauth_getuserinfo\fR(3)
.RS 4
\%auth_getuserinfo.html
.RE
.IP " 4." 4
\fBauth_enumerate\fR(3)
.RS 4
\%auth_enumerate.html
.RE
.IP " 5." 4
\fBauth_passwd\fR(3)
.RS 4
\%auth_passwd.html
.RE
.IP " 6." 4
\fBauth_getoption\fR(3)
.RS 4
\%auth_getoption.html
.RE
Commit	Line	Data
dd184caf	1	.\" <!-- $Id: auth_login.sgml,v 1.4 2007/07/21 20:05:53 mrsam Exp $ -->
d9898ee8	2	.\" <!-- Copyright 2004 Double Precision, Inc. See COPYING for -->
	3	.\" <!-- distribution information. -->
	4	.\" Title: auth_login
	5	.\" Author:
8d138742 CE	6	.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
8d138742 CE	7	.\" Date: 08/23/2008
d9898ee8	8	.\" Manual: Double Precision, Inc.
	9	.\" Source: Double Precision, Inc.
	10	.\"
8d138742	11	.TH "AUTH_LOGIN" "3" "08/23/2008" "Double Precision, Inc." "Double Precision, Inc."
d9898ee8	12	.\" disable hyphenation
	13	.nh
	14	.\" disable justification (adjust text to left margin only)
	15	.ad l
	16	.SH "NAME"
8d138742	17	auth_login - Validate a userid and password
d9898ee8	18	.SH "SYNOPSIS"
	19	.sp
	20	.RS 4
	21	.nf
8d138742	22	#include <courierauth\.h>
d9898ee8	23	.fi
	24	.RE
	25	.HP 18
dd184caf	26	.BI "int rc=auth_login(const\ char\ " "service" ", const\ char\ " "userid" ", const\ char\ " "password" ", int\ " "(callback_func)" "(struct\ authinfo\ ,\ void\ ), void\ *" "callback_arg" ");"
d9898ee8	27	.SH "DESCRIPTION"
	28	.PP
	29
	30	\fBauth_login\fR
	31	verifies whether
	32	\fIuserid\fR
8d138742	33	exists, and whether it\'s
d9898ee8	34	\fIpassword\fR
8d138742	35	is correct\.
d9898ee8	36	\fIservice\fR
	37	specifies which so\-called "service" is being authenticated; like
	38	\(lqimap\(rq
	39	or
8d138742	40	\(lqpop3\(rq\.
d9898ee8	41	\fIservice\fR
8d138742	42	may or may not be used by the Courier authentication library\'s configured back\-end module\.
d9898ee8	43	.SH "RETURNS"
	44	.PP
	45
	46	\fBcallback_func\fR
	47	will be invoked if
	48	\fBauth_login\fR
	49	succeeds, and
8d138742	50	\fBcallback_func\fR\'s return value becomes the return value from
d9898ee8	51	\fBauth_login\fR
8d138742	52	(which should be 0, by convention)\.
d9898ee8	53	\fBcallback_func\fR
d9898ee8	54	will not be invoked if an error occurs, which is reported by a non\-zero return value from
8d138742	55	\fBauth_login\fR\. By convention, a positive return value indicates an internal, temporary failure, such as the authentication daemon process not running; a negative return value indicates that this request was processed, but it failed\.
d9898ee8	56	.PP
	57	The second argument to
	58	\fBcallback_func\fR
	59	will be
8d138742 CE	60	\fBcallback_arg\fR, which is not interpreted by this function in any way\. The first argument will be a pointer to the following structure:
8d138742 CE	61	.PP
d9898ee8	62	\fBExample\ 1.\ struct authinfo\fR
	63	.sp
	64	.RS 4
	65	.nf
	66	struct authinfo {
	67	const char *sysusername;
	68	const uid_t *sysuserid;
	69	gid_t sysgroupid;
	70	const char *homedir;
	71
	72	const char *address;
	73	const char *fullname;
	74	const char *maildir;
	75	const char *quota;
	76	const char *passwd;
	77	const char *clearpasswd;
	78
	79	const char *options;
	80
	81	} ;
	82	.fi
	83	.RE
	84	.PP
	85	Description of the above fields:
	86	.PP
	87	address
	88	.RS 4
8d138742	89	The authenticated login ID\.
d9898ee8	90	.RE
	91	.PP
	92	sysusername
	93	.RS 4
8d138742 CE	94	The authenticated account\'s userid and groupid can be looked up in the password file using
8d138742 CE	95	address\. If this field is
d9898ee8	96	NULL, obtain the userid and the groupid from
	97	sysuserid
	98	and
8d138742	99	sysgroupid\.
d9898ee8	100	.RE
	101	.PP
	102	sysuserid
	103	.RS 4
	104
	105	sysuserid
	106	may be
	107	NULL
	108	if
	109	sysusername
8d138742	110	is initialized, otherwise it\'s a pointer to the account\'s numeric userid\.
d9898ee8	111	.RE
	112	.PP
	113	sysgroupid
	114	.RS 4
8d138742	115	Account\'s numeric groupid\.
d9898ee8	116	sysgroupid
	117	is only used when
	118	sysusername
	119	is
8d138742	120	NULL\.
d9898ee8	121	.RE
	122	.PP
	123	fullname
	124	.RS 4
8d138742 CE	125	This is the account\'s full name\. This field is optional, it may be
8d138742 CE	126	NULL\.
d9898ee8	127	.RE
	128	.PP
	129	homedir
	130	.RS 4
8d138742 CE	131	The account\'s home directory\. This field cannot be
8d138742 CE	132	NULL\.
d9898ee8	133	.RE
	134	.PP
	135	maildir
	136	.RS 4
8d138742	137	The pathname to the account\'s mailbox\. This field is optional, it can be
d9898ee8	138	NULL
8d138742	139	in which case the default location is assumed\.
d9898ee8	140	.RE
	141	.PP
	142	quota
	143	.RS 4
8d138742	144	Optional maildir quota on the account\'s mailbox (and
d9898ee8	145	NULL
8d138742	146	if no quota is set)\.
d9898ee8	147	.RE
	148	.PP
	149	passwd
	150	.RS 4
8d138742 CE	151	The account\'s encrypted password, if available\. If the account has a cleartext password defined, this field can be set to
	152	NULL\. The encrypted password can take several formats:
	153	.sp
d9898ee8	154	.RS 4
8d138742	155	\h'-04'\(bu\h'+03'A traditional triple\-DES crypted password, or a MD5+salt\-hashed password, as used in Linux\.
d9898ee8	156	.RE
8d138742	157	.sp
d9898ee8	158	.RS 4
	159	\h'-04'\(bu\h'+03'
	160	\(lq{MD5}\(rq
8d138742	161	followed by a base64\-encoded MD5 hash of the password\.
d9898ee8	162	.RE
8d138742	163	.sp
d9898ee8	164	.RS 4
	165	\h'-04'\(bu\h'+03'
	166	\(lq{SHA}\(rq
8d138742	167	followed by a base64\-encoded SHA1 hash of the password\.
d9898ee8	168	.RE
	169	.RE
	170	.PP
	171	clearpasswd
	172	.RS 4
8d138742 CE	173	The account\'s cleartext password, if available\. If the account has an encrypted password defined, this field can be set to
8d138742 CE	174	NULL\.
d9898ee8	175	.RE
	176	.PP
	177	options
	178	.RS 4
8d138742	179	A comma\-separated list of miscellaneous account options\. See below for more information\.
d9898ee8	180	.RE
	181	.SS "Account options"
	182	.PP
8d138742 CE	183	Depending on the configuration of the Courier authentication library, accounts may have individual options associated with them\. If the authentication library configuration does not implement account options, the option string will be
8d138742 CE	184	NULL\. Otherwise it will be a comma\-separated list of
d9898ee8	185	\(lq\fIoption\fR=\fIvalue\fR\(rq
8d138742	186	settings\.
d9898ee8	187	.sp
	188	.it 1 an-trap
	189	.nr an-no-space-flag 1
	190	.nr an-break-flag 1
	191	.br
8d138742	192	Note
d9898ee8	193	.PP
8d138742	194	This is the account option implementation that\'s used by Courier, Courier\-IMAP, and SqWebMail packages\. Some of the following information is obviously not applicable for a particular package\. The inapplicable bits should be obvious\.
d9898ee8	195	.PP
	196	The following options are recognized by the various Courier packages:
	197	.sp
	198	.it 1 an-trap
	199	.nr an-no-space-flag 1
	200	.nr an-break-flag 1
	201	.br
8d138742	202	Note
d9898ee8	203	.PP
	204	The application is responsible for enforcing all the
	205	\(lqdisabled\(rq
8d138742	206	option\. An authentication request for service
d9898ee8	207	\(lqimap\(rq, for example, will succeed provided that the userid and the password are valid, even if
d9898ee8	208	\(lqdisableimap=1\(rq
8d138742	209	is set\. The application\'s
d9898ee8	210	\fBcallback_func\fR
8d138742	211	should check for this condition, and return a negative return code\.
d9898ee8	212	.PP
	213	disableimap=\fIn\fR
	214	.RS 4
8d138742	215	If "n" is 1, IMAP access to this account should be disabled\.
d9898ee8	216	.RE
	217	.PP
	218	disablepop3=\fIn\fR
	219	.RS 4
8d138742	220	If "n" is 1, POP3 access to this account should be disabled\.
d9898ee8	221	.RE
	222	.PP
	223	disablewebmail=\fIn\fR
	224	.RS 4
8d138742	225	If "n" is 1, webmail access to this account should be disabled\.
d9898ee8	226	.RE
	227	.PP
	228	disableshared=\fIn\fR
	229	.RS 4
8d138742	230	If "n" is 1, this account should not have access to shared folders or be able to share its own folders with other people\.
d9898ee8	231	.RE
	232	.PP
	233	group=\fIname\fR
	234	.RS 4
	235	This account is a member of access group
8d138742 CE	236	\fIname\fR\. Instead of granting access rights on individual mail folders to individual accounts, the access rights can be granted to an access group
8d138742 CE	237	\(lqname\(rq, and all members of this group get the specified access rights\.
d9898ee8	238	.sp
	239	The access group name
	240	\(lqadministrators\(rq
8d138742	241	is a reserved group\. All accounts in the
d9898ee8	242	administrators
8d138742	243	group automatically receive all rights to all accessible folders\.
d9898ee8	244	.sp
	245	.it 1 an-trap
	246	.nr an-no-space-flag 1
	247	.nr an-break-flag 1
	248	.br
8d138742 CE	249	Note
8d138742 CE	250	This option may be specified multiple times to specify that the account belongs to multiple account groups\.
d9898ee8	251	.RE
	252	.PP
	253	sharedgroup=\fIname\fR
	254	.RS 4
8d138742	255	Append "name" to the name of the top level virtual shared folder index file\. This setting restricts which virtual shared folders this account could possibly access (and that\'s on top of whatever else the access control lists say)\. See the virtual shared folder documentation for more information\.
d9898ee8	256	.sp
8d138742	257	For technical reasons, group names may not include comma, tab, "/" or "\|" characters\.
d9898ee8	258	.RE
	259	.SH "SEE ALSO"
	260	.PP
	261
	262	\fI\fBauthlib\fR(3)\fR\&[1],
	263	\fI\fBauth_generic\fR(3)\fR\&[2],
	264	\fI\fBauth_getuserinfo\fR(3)\fR\&[3],
	265	\fI\fBauth_enumerate\fR(3)\fR\&[4],
	266	\fI\fBauth_passwd\fR(3)\fR\&[5],
8d138742 CE	267	\fI\fBauth_getoption\fR(3)\fR\&[6]\.
8d138742 CE	268	.SH "NOTES"
d9898ee8	269	.IP " 1." 4
	270	\fBauthlib\fR(3)
	271	.RS 4
	272	\%authlib.html
	273	.RE
	274	.IP " 2." 4
	275	\fBauth_generic\fR(3)
	276	.RS 4
	277	\%auth_generic.html
	278	.RE
	279	.IP " 3." 4
	280	\fBauth_getuserinfo\fR(3)
	281	.RS 4
	282	\%auth_getuserinfo.html
	283	.RE
	284	.IP " 4." 4
	285	\fBauth_enumerate\fR(3)
	286	.RS 4
	287	\%auth_enumerate.html
	288	.RE
	289	.IP " 5." 4
	290	\fBauth_passwd\fR(3)
	291	.RS 4
	292	\%auth_passwd.html
	293	.RE
	294	.IP " 6." 4
	295	\fBauth_getoption\fR(3)
	296	.RS 4
	297	\%auth_getoption.html
	298	.RE