Here is the reason of the login failure on Mac OS X (Server) when
using secondary short names:
the unix username is x_y, the additional short name (accepted for
authentication) is x.y:
Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS
IMPLEMENTATION: getpwnam() lookup returned different user than was
requested (x_y != x.y).
Jan 6 15:38:58 dns dovecot[281]: imap-login: Internal login failure
(auth failed, 1 attempts): user=
lip=127.0.0.1, secured
the secure.log report no errors:
Jan 6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded,
creating credential for user x.y
Jan 6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded,
creating shared credential for user x.y
Jan 6 15:38:58 dns com.apple.SecurityServer[35]: Succeeded
authorizing right system.login.tty by client /usr/local/libexec/
dovecot/dovecot-auth for authorization created by /usr/local/libexec/
dovecot/dovecot-auth.
Back in 2006 Timo wrote in response to the same problem: "Well, you
could simply remove the check from src/auth/userdb-passwd.c. Perhaps I
could make this also optional. I'd anyway not want to remove that
check completely because nss_ldap is still not fixed."
This is not vital, but perhaps it is time to allow control on this
behaviour that seems to potentially affect various platforms? Or
perhaps should getpwnam return the short user name that matches the
passwd field supplied (if it exists)?
Giuliano