Can passdb be bypassed for non-plaintext authentication mechanisms
I am using Active directory authentication via gssapi for most users. In dovecot.conf I have:
auth_mechanisms = plain login gssapi auth_use_winbind = yes
I also have
passdb { driver = shadow } userdb { driver = passwd }
for those few users who are NOT AD users.
Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks them up in shadow, which ALWAYS fails.
The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with non-plaintext authentication mechanisms."
Is there a way to bypass checking passdb (and userdb?) for these mechanism?
--Mark
On 05.12.2017 08:05, Mark Foley wrote:
I am using Active directory authentication via gssapi for most users. In dovecot.conf I have:
auth_mechanisms = plain login gssapi auth_use_winbind = yes
I also have
passdb { driver = shadow } userdb { driver = passwd }
for those few users who are NOT AD users.
Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks them up in shadow, which ALWAYS fails.
The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with non-plaintext authentication mechanisms."
Is there a way to bypass checking passdb (and userdb?) for these mechanism?
--Mark
You can try:
passdb { ...
skip = authenticated }
In very recent dovecot version you could use mechanism_filter too, but I guess skip=authenticated should work.
Aki
participants (2)
-
Aki Tuomi
-
Mark Foley