We had this issue as well - switch your primary authentication to LDAP and make sure it is attempting those auth sources first before any PAM sources. You also don’t need to have your Dovecot server joined to the domain by doing it this way, which is nice.
We were previously using PAM auth through Kerberos as a method of authenticating from our LDAP servers. I can’t remember the reason why we decided to go with Dovecot->LDAP (no mediating auth service in between), but the performance was significantly faster.
Or, you can also try PAM using Kerberos, instead of WInbind (or whatever you are using with PAM). Just a thought.
~ Laz Peterson Paravis, LLC
On Jun 7, 2016, at 11:16 AM, aki.tuomi@dovecot.fi wrote:
On June 7, 2016 at 9:06 PM Ranbir <m3freak@thesandhufamily.ca> wrote:
On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote:
You have Pam as your passdb driver.
Yes, because I have to. How else would I get Dovecot to authenticate users against my FreeIPA server?
-- Ranbir
LDAP does come into mind... IPA after all IS ldap based. It's what sssd uses as well.
Aki Tuomi