[Dovecot] Static userdb with LDAP passdb but without "allow_all_users=yes"?

Andreas Ntaflos daff at dword.org
Wed Dec 1 03:56:31 EET 2010


On Friday 26 November 2010 17:30:55 Timo Sirainen wrote:
> On Thu, 2010-11-25 at 19:31 +0100, Andreas Ntaflos wrote:
> > Is it possible to have a static user database along with an LDAP
> > password database and *not* be forced to set "allow_all_users=yes"
> > for the userdb?
> 
> Yes.
> 
> > dovecot: auth: Error: static(not-a-user at test01.example.com): passdb
> > doesn't support lookups, can't verify user's existence
> 
> Set auth_debug=yes and see what it logs. passdb ldap should support
> it, as long as you don't set auth_bind=yes. I just verified that it
> works:

Thanks for the hint! I always forget how useful mail_debug and 
auth_debug can be. It turns out that the problem was indeed that I had 
passwd and pam as additional user and password databases. The order in 
which they are declared in dovecot.conf matters of course and when the 
PAM passdb is the last entry the problem appears.

The workaround is obviously to not set PAM as the last entry. But this 
also means that any user from the LDAP/static user database that tries 
to log in has to go through PAM first and fail. On a busy server with 
lots of LDAP/static users and few system users this would waste quite a 
few resources and clutter up /var/log/auth.log pretty badly. 

Is there a way around that?

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20101201/fede923c/attachment.bin 


More information about the dovecot mailing list