On Thu, 2007-12-20 at 13:57 -0500, Brendan wrote:
i had (foolishly, it turns out) configured dovecot-auth to do ldap authentication binding with a prefect userdb (configs at end of message). everything worked fine, although with huge numbers of pop logins per second we started to see some pileup in the pop3-login processes as they were all waiting for ldap responses on the single ldap connection.
Maybe I should change this so it uses two connections. If you're not using auth_bind_userdn setting it would do 3 lookups (passdb/dn, bind, userdb).
base = uid=%u,o=imap .. pass_filter = (&(proto=%s)(remoteip=%r)(localip=%l)(mech=%m)(pid=%p))
Authentication cache uses %variables in pass_filter as the cache key. The reason why it wasn't working was because %s,%r,%l,%m,%p combination rarely matched twice. But once in a while it could have matched, causing Dovecot to return cached values for a wrong user because pass_filter didn't contain %u.
The problem only happened with users with same password, because the password was still checked against cached one. Normally someone should have probably wondered why their login was failing, except Dovecot does this automatic "if password doesn't match cached one, but last login was successful, ignore cache and do the passdb lookup".
So the solution is to include base's contents in auth cache key as well. Fixed: http://hg.dovecot.org/dovecot-1.0/rev/2cedab21cd6d
Hmm. I suppose this could be considered a security hole.. Time for v1.0.10 then.