Timo Sirainen wrote:
Yes, http://wiki.dovecot.org/PasswordDatabase/PAM explains what it does and why it might not be a good idea. Although no-one has yet reported any success/failure stories, those are all my own guesses..
I gotcha, makes sense having read it. Now I'm back on the fence, as I'll want to research the status of these PAM/nss_ldap memory leaks that might occur if we set it to blocking=yes.
It seems like the choice is to be asynchronous and possibly run into a user collision on the file descriptor (percentage chance, anyone? 2%? 5%?) or to use a synchronous/blocking pipeline at the expense of never releasing the PAM code (sic) and possibly leaking memory.
Here comes my "I am not a real programmer" thought -- there really is no way for dovecot-auth's forked child processes to set up their own unique descriptor? Maybe an alternative way of doing the fork? Just pondering...
-te
-- Troy Engel | Systems Engineer Fluid, Inc | http://www.fluid.com