This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 12 and 13
Revision 12 as of 2009-03-15 22:35:23
Size: 1959
Editor: localhost
Comment: converted to 1.6 markup
Revision 13 as of 2010-06-14 20:33:18
Size: 1136
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
The lookup is by default done in the primary dovecot-auth process, so if NSS is configured to do the lookups from an external server, it slows down all the other authentications while waiting for the reply. To avoid that, you can use {{{blocking=yes}}} argument to do the lookups in auth worker processes: The lookup is by default done in the auth worker processes. If you have only a small local passwd file, you can avoid having extra auth worker processes by disabling it:
Line 9: Line 9:
# NOTE: v1.0.rc23 and later only
userdb passwd {
  args = blocking=yes
userdb {
  driver =
passwd
  args = blocking=no
Line 14: Line 14:
The "blocking" name can be a bit confusing. It doesn't mean that the lookup blocks the whole dovecot-auth, exactly the opposite.
Line 17: Line 16:
v1.1+ only: It's possible to override fields from passwd and add [[UserDatabase/ExtraFields|extra fields]] with templates. For example: It's possible to override fields from passwd and add [[UserDatabase/ExtraFields|extra fields]] with templates. For example:
Line 20: Line 19:
userdb passwd { userdb {
  driver =
passwd
Line 25: Line 25:

== nss_ldap ==
nss_ldap can in some cases return wrong user's information and cause users to log in as each others. With 1.0.rc23 and later you can fix this by using the {{{blocking=yes}}} setting as described above.

There's a nss_ldap bug about this in [[https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154314|RedHat's Bugzilla]].

A typical PAM + nss_ldap configuration looks like:

{{{
# NOTE: v1.0.rc23 and later only
  userdb passwd {
    args = blocking=yes
  }
  passdb pam {
    args = dovecot
  }
}}}

Passwd

User is looked up using getpwnam() call, which usually looks into /etc/passwd file, but depending on NSS configuration it may also look up the user from eg. LDAP database.

Most commonly used as a user database. Many systems use shadow passwords nowadays so it doesn't usually work as a password database. BSDs are an exception to this, they still set the password field even with shadow passwords.

The lookup is by default done in the auth worker processes. If you have only a small local passwd file, you can avoid having extra auth worker processes by disabling it:

userdb {
  driver = passwd
  args = blocking=no
}

Field overriding and extra fields

It's possible to override fields from passwd and add extra fields with templates. For example:

userdb {
  driver = passwd
  args = home=/var/mail/%u mail=maildir:/var/mail/%u/Maildir
}

This uses the UID and GID fields from passwd, but home directory is overridden. Also the default mail_location setting is overridden.

None: AuthDatabase/Passwd (last edited 2019-09-11 14:08:34 by MichaelSlusarz)