[Dovecot] Logging "issue" with PAM authentication

Steve Johnson maillist at sjohnson.info
Wed Jul 7 21:21:04 EEST 2004


Thanks for the clarification. The pam file for dovecot references to
system-auth:

auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth

Of course, system-auth does indeed have both (and needs both). However,
I tried modifying the dovecot pam file to a few things instead of
system_auth, but can't get it to work.

I've tried with just the following:

auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
session     optional      /lib/security/$ISA/pam_ldap.so

And I've also tried with all the system-auth lines, except the
pam_unix.so ones, like this:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     optional      /lib/security/$ISA/pam_ldap.so

In both of these situations, users can't authenticate. Is there
something I'm doing wrong? I'm not that familiar with pam, so it's a
very plausible cause! :)

Thanks again,
Steve Johnson

On Wed, 2004-07-07 at 13:57, Timo Sirainen wrote:
> On 7.7.2004, at 20:39, Steve Johnson wrote:
> 
> > We currently have a postfix/dovecot setup using nss_ldap with PAM for
> > authentication. Everything is working fine, but there are excessive
> > "error" messages in /var/log/messages that I'd like to prevent from
> > happening.
> >
> > Since auth_userdb defaults to passwd and that our users are not in the
> > passwd file, we get the following message everytime a user logs in:
> 
> passwd userdb actually uses NSS (or getpwnam() which uses it) and not 
> /etc/passwd directly.
> 
> > Jul  7 13:34:37 hostname dovecot(pam_unix)[32206]: check pass; user
> > unknown
> > Jul  7 13:34:37 hostname dovecot(pam_unix)[32206]: authentication
> > failure; logname= uid=0 euid=0 tty= ruser= rhost=
> 
> That's written by pam_unix PAM module, not Dovecot. Do you have both 
> pam_unix and pam_ldap in /etc/pam.d/dovecot? Remove the pam_unix.so 
> lines from there.



More information about the dovecot mailing list