This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 6 and 8 (spanning 2 versions)
Revision 6 as of 2007-03-15 19:24:44
Size: 1774
Editor: troyengel
Comment: removing double 'leaks'
Revision 8 as of 2007-06-13 00:36:33
Size: 1535
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
User is looked up using `getpwent()` call, which usually looks into `/etc/passwd` file, but depending on [http://en.wikipedia.org/wiki/Name_Service_Switch NSS] configuration it may also look up the user from eg. LDAP database. User is looked up using `getpwnam()` call, which usually looks into `/etc/passwd` file, but depending on [http://en.wikipedia.org/wiki/Name_Service_Switch NSS] configuration it may also look up the user from eg. LDAP database.
Line 16: Line 16:
The "blocking" name can be a bit confusing. It doesn't mean that the lookup blocks the whole dovecot-auth, exactly the opposite.
Line 22: Line 24:
If you are using '''PAM + nss_ldap''' for all of your login needs (empty `/etc/passwd`, `/etc/nsswitch.conf` uses `passwd: ldap`, etc.) then a good starting configuration might look like: A typical PAM + nss_ldap configuration looks like:
Line 33: Line 35:

This would be defined as:
''blocking=no pam, blocking=yes nss_ldap: No memory leaks. Fixes nss_ldap problems. Each PAM lookup is done in a forked process. NSS
lookups are done in auth worker processes. No lookup blocks others.''

Passwd

User is looked up using getpwnam() call, which usually looks into /etc/passwd file, but depending on [http://en.wikipedia.org/wiki/Name_Service_Switch NSS] configuration it may also look up the user from eg. LDAP database.

Most commonly used as a user database. Many systems use shadow passwords nowadays so it doesn't usually work as a password database. BSDs are an exception to this, they still set the password field even with shadow passwords.

The lookup is by default done in the primary dovecot-auth process, so if NSS is configured to do the lookups from an external server, it slows down all the other authentications while waiting for the reply. To avoid that, you can use blocking=yes argument to do the lookups in auth worker processes:

# NOTE: v1.0.rc23 and later only
userdb passwd {
  args = blocking=yes
}

The "blocking" name can be a bit confusing. It doesn't mean that the lookup blocks the whole dovecot-auth, exactly the opposite.

nss_ldap

nss_ldap can in some cases return wrong user's information and cause users to log in as each others. With 1.0.rc23 and later you can fix this by using the blocking=yes setting as described above.

There's a nss_ldap bug about this in [https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154314 RedHat's Bugzilla].

A typical PAM + nss_ldap configuration looks like:

# NOTE: v1.0.rc23 and later only
  userdb passwd {
    args = blocking=yes
  }
  passdb pam {
    args = dovecot
  }

None: AuthDatabase/Passwd (last edited 2019-09-11 14:08:34 by MichaelSlusarz)