also sprach Timo Sirainen <tss@iki.fi> [2015-11-21 14:14 +1300]:
Well, your topic is PAM.
Is it? My point is that PAM should not even be asked if an authentication source beforehand knows about a user but the password cannot be verified.
But.. Right now passdb has result_success, result_failure and result_internalfail. I suppose it should be possible to add result_user_unknown there that defaults to result_failure if it's not explicitly set.
result_user_known should be resturned when the authentication source does not know about a user.
If the authentication source knows a user but fails to authenticate him/her due to a password mismatch, the result should rather be result_auth_failure.
Those two should really replace result_failure and the dovecot authentication stack should only continue on result_user_known or result_internalfail. If we get result_success or result_auth_failure, then authentication is done and no further sources should be considered.
-- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/
only by counting could humans demonstrate their independence of computers. -- douglas adams, "the hitchhiker's guide to the galaxy"
spamtraps: madduck.bogus@madduck.net