[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Timo Sirainen
tss at iki.fi
Mon Jan 9 20:59:03 EET 2012
On 7.1.2012, at 5.36, Yubao Liu wrote:
> In old version, "auth->passdbs" contains all passdbs, this revision
> changes "auth->passdbs" to only contain non-master passdbs.
>
> I'm not sure which fix is better or even my proposal is correct or fully:
> a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
> auth->passdbs too, and remove duplicate code for masterdbs
> in auth_init() and auth_deinit().
Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users.
> b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(),
> auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials().
Kind of annoying code duplication, but .. I guess it can't really be helped. Added:
http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
> Another related question is "pass" option in master passdb, if I set it to "yes",
> the authentication fails:
..
> My normal passdb is a PAM passdb, it doesn't support credential lookups, that's
> reasonable,
Right.
> but I feel the comment for "pass" option is confusing:
>
> # Unless you're using PAM, you probably still want the destination user to
> # be looked up from passdb that it really exists. pass=yes does that.
> pass = yes
> }
>
> According the comment, it's to check whether the real user exists, why not
> to check userdb but another passdb?
Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message.
> Even it must check against passdb,
> in this case, it's obvious not necessary to lookup credentials, it's enough to
> to lookup user name only.
There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)
More information about the dovecot
mailing list