Thanks for the clarification. The pam file for dovecot references to system-auth:
auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth
Of course, system-auth does indeed have both (and needs both). However, I tried modifying the dovecot pam file to a few things instead of system_auth, but can't get it to work.
I've tried with just the following:
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass password sufficient /lib/security/$ISA/pam_ldap.so use_authtok session optional /lib/security/$ISA/pam_ldap.so
And I've also tried with all the system-auth lines, except the pam_unix.so ones, like this:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session optional /lib/security/$ISA/pam_ldap.so
In both of these situations, users can't authenticate. Is there something I'm doing wrong? I'm not that familiar with pam, so it's a very plausible cause! :)
Thanks again, Steve Johnson
On Wed, 2004-07-07 at 13:57, Timo Sirainen wrote:
On 7.7.2004, at 20:39, Steve Johnson wrote:
We currently have a postfix/dovecot setup using nss_ldap with PAM for authentication. Everything is working fine, but there are excessive "error" messages in /var/log/messages that I'd like to prevent from happening.
Since auth_userdb defaults to passwd and that our users are not in the passwd file, we get the following message everytime a user logs in:
passwd userdb actually uses NSS (or getpwnam() which uses it) and not /etc/passwd directly.
Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: check pass; user unknown Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
That's written by pam_unix PAM module, not Dovecot. Do you have both pam_unix and pam_ldap in /etc/pam.d/dovecot? Remove the pam_unix.so lines from there.