[Dovecot] Authentication cache, failure to login after changed password

Timo Sirainen tss at iki.fi
Thu Aug 21 13:25:14 EEST 2008


On Thu, 2008-08-21 at 09:11 +0200, Tom Sommer wrote:
> Timo Sirainen wrote:
> > On Tue, 2008-08-19 at 15:49 +0200, Tom Sommer wrote:
> >> On Tue, August 19, 2008 15:44, Tom Sommer wrote:
> >>
> >>> Using version 1.1.1, MySQL userdb, with "nopassword=Y".
> >>>
> >>> Maybe it's due to nopassword?
> >> Should add, this is my password_query:
> >>
> >> password_query = SELECT username as user, NULL as password, "Y" as
> >> nopassword FROM users WHERE ...
> > 
> > So how do you check the password validity?
> 
> Simple
> 
> SELECT username as user, NULL as password, "Y" as nopassword FROM users 
> WHERE username = '%u' AND password = '[password]'

By [password] I suppose you mean %w?

The way it's supposed to work then is that Dovecot places %u and %w to
the cache key. So only if both of them match, the cache is used. This
also means that if the password is changed and old password is cached,
the user is able to log in using either old or the new password (both of
them will be cached to separate entries). And I just tested that it
works like that. So if you're getting auth failures, there's something
wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080821/ae003e26/attachment.bin 


More information about the dovecot mailing list