On 7.1.2012, at 5.36, Yubao Liu wrote:
In old version, "auth->passdbs" contains all passdbs, this revision changes "auth->passdbs" to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth->passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit().
Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users.
b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials().
Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
Another related question is "pass" option in master passdb, if I set it to "yes", the authentication fails: .. My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable,
Right.
but I feel the comment for "pass" option is confusing:
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes }
According the comment, it's to check whether the real user exists, why not to check userdb but another passdb?
Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message.
Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only.
There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)