Re: [Dovecot] Dovecot & pam_mkhomedir

19 Dec 2005 · _finally_


      Sorry to flood the list with this... but I've _finally_ figured out the
problem.
From what appears t be the correct syntax I find this difficult to read:
passdb pam {
    # [-session] [cache_key=<key>] [<service name>]
    #
    # -session makes Dovecot open and immediately close PAM session. 
Some
# PAM plugins need this to work.
#
# If service name is "*", it means the authenticating service name
# is used, eg. pop3 or imap.
args = "*"
}
That suggests to me that some of the following are valid syntax:
passdb pam {
    -session cache_key=%n
    args = "*"
}
or:
passdb pam { -session cache_key=%n imap
}
or:
passdb pam {
-session
cache_key=%n
imap
}
or:
passdb pam { -session cache_key=%n
args="imap"
}
For some of these, Dovecot refuses to start, for others it starts but
"-session" appears to be ignored. I think that for others the user
can't authenticate at all, but I've been trying a LOT of combinations
this evening, and I'm not clear on the correct logic of this & if the
guilty one is a combination I haven't remembered.
IMHO the best way to document this in the supplied dovecot.conf would
be:
# PAM authentication. Preferred nowadays by most systems.
# Note that PAM can only be used to verify if user's password is
correct,
# so it can't be used as userdb. If you don't want to use a separate
user
# database (passwd usually), you can use static userdb.
passdb pam {
# [-session] [cache_key=<key>] [<service name>]
#
# -session makes Dovecot open and immediately close PAM session.
Some
# PAM plugins need this to work.
#
# cache_key can be used to enable authentication caching for PAM
# (auth_cache_size also needs to be set). It isn't enabled by
default
# because PAM modules can do all kinds of checks besides checking
password,
# such as checking IP address. Dovecot can't know about these checks
# without some help. cache_key is simply a list of variables (see
# doc/variables.txt) which must match for the cached data to be
used.
# Here are some examples:
#   %u - Username must match. Probably sufficient for most uses.
#   %u%r - Username and remote IP address must match.
#   %u%s - Username and service (ie. IMAP, POP3) must match.
#
# If service name is "*", it means the authenticating service name
# is used, eg. pop3 or imap.
#
# EXAMPLES:
#
# args = "-session cache_key=%n imap"
# args = "-session *"
# args = "*"
args = "*"
}
Or have I been really dumb to miss this?
It took me ages to get:
passdb pam {
args = "-session *"
}
And the moment I did, it worked PERFECTLY.
Stroller.