From 1b2ad5db7b4ed518bd732d2ae35cd552354ec1aa Mon Sep 17 00:00:00 2001
From: pacien
Date: Wed, 12 Sep 2018 23:58:06 +0200
Subject: Fallback on PAM if no USERLIST

---
 conf.d/070_authenticators.conf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/conf.d/070_authenticators.conf b/conf.d/070_authenticators.conf
index adc08c2..93a6ce2 100644
--- a/conf.d/070_authenticators.conf
+++ b/conf.d/070_authenticators.conf
@@ -19,6 +19,12 @@
 
 begin authenticators
 
+.ifdef USERLIST
+AUTH_CHECK = ${if crypteq{$auth3}{${lookup{$auth2}lsearch{USERLIST}}} {yes}{no}}
+.else
+AUTH_CHECK = ${if pam{$auth2:${sg{$auth3}{:}{::}}} {yes}{no}}
+.endif
+
 # PLAIN authentication has no server prompts. The client sends its
 # credentials in one lump, containing an authorization ID (which we do not
 # use), an authentication ID, and a password. The latter two appear as
@@ -32,7 +38,7 @@ PLAIN:
   public_name                = PLAIN
   server_prompts             = :
   server_set_id              = $auth2
-  server_condition           = ${if crypteq{$auth3}{${lookup{$auth2}lsearch{USERLIST}}} {yes}{no}}
+  server_condition           = AUTH_CHECK
   server_advertise_condition = ${if ={587}{$interface_port} {yes}{no}}
 
 # LOGIN authentication has traditional prompts and responses. There is no
-- 
cgit v1.2.3