[Dovecot] 1.1.6: PAM passdb/userdb (mis)configuration
Oved Ben-Aroya
oved+dovecot at xor.technion.ac.il
Thu Feb 5 09:50:06 EET 2009
I was not able to reproduce the Outlook/OL Express users complaints (in
a test system). As it turned out, a DB problem in one of our ldap servers
led to dovecot authentication failures - showing in the logs that "shadow"
authentication failed. Deleting the "passdb shadow" (plus clean up of
tens of dovecot-auth processes) fixed it. A couple of days later, a user
complained that he can't login with Outlook (OL asking for his password
again and again), and a check revealed that his password exired :-)
Still not using authentication cache...
Just FYI.
On Tue, Jan 13, 2009 at 12:49:47PM -0500, Timo Sirainen wrote:
> On Tue, 2009-01-13 at 09:14 +0200, Oved Ben-Aroya wrote:
> > > >which work fine, except for Outlook/OL Express users that are asked
> > > >for
> > > >their password whenever they "send/receive"... We've had also
> > > >"passdb shadow"
> > > >that somehow "fixed" this
> > >
> > > This really makes no sense. Outlook doesn't know if you're using PAM
> > > or shadow. Do you mean that Outlook anyway can successfully log in,
> > > but just asks the password all the time?
> >
> > Sorry I was not clear in my description of the problem.
> > Yes, users of Outlook log in and read their mail just fine. However,
> > whenever they want to refresh the inbox or send mail, they are presented
> > with a login window of Outlook. With the "passdb shadow" directive that somehow
> > crept in, Outlook users were not asked for password after they logged in
> > (however this broke the password exiration).
>
> Well, there is some difference between what PAM and shadow does. Perhaps
> PAM starts failing the login after some time? Enable auth_debug=yes and
> see what the difference is between when using shadow and pam.
>
> The difference between Outlook/OE and other clients is that they keep
> logging out and back in all the time, while other clients typically log
> in only once. Perhaps you have a PAM plugin that limits the number of
> logins to once every n minutes or something?
>
> > I wonder if we need to enable authentication cache?
>
> It shouldn't be necessary, but if the problem is something like what I
> described above then auth cache will probably work around the actual
> problem in most cases (but not all).
--
\Oved
Dr. Oved Ben-Aroya, Head Unix group, Taub Computer Center, Technion
Phone: +972 (4) 829 3688 FAX: +972 (4) 823 6212
oved at technion.ac.il PGP key at http://tx.technion.ac.il/~oved/pgp/pubkey
PGP Key fingerprint: A9 52 46 04 E8 70 41 99 60 E3 DA 8F BA 39 C2 C8
More information about the dovecot
mailing list