[Dovecot] Dovecot & pam_mkhomedir

Stroller linux.luser at myrealbox.com
Mon Dec 19 02:51:26 EET 2005


Sorry to flood the list with this... but I've _finally_ figured out the 
problem.

 From what appears t be the correct syntax I find this difficult to read:

	passdb pam {
	    # [-session] [cache_key=<key>] [<service name>]
	    #
	    # -session makes Dovecot open and immediately close PAM session. 
Some
	    # PAM plugins need this to work.
	    #
	    # If service name is "*", it means the authenticating service name
	    # is used, eg. pop3 or imap.
	    args = "*"
	}

That suggests to me that some of the following are valid syntax:

	passdb pam {
	    -session cache_key=%n
	    args = "*"
	}
or:
	passdb pam { -session cache_key=%n imap
	}
or:
	passdb pam {
	-session
	cache_key=%n
	imap
	}
or:
	passdb pam { -session cache_key=%n
	args="imap"
	}

For some of these, Dovecot refuses to start, for others it starts but 
"-session" appears to be ignored. I think that for others the user 
can't authenticate at all, but I've been trying a LOT of combinations 
this evening, and I'm not clear on the correct logic of this & if the 
guilty one is a combination I haven't remembered.

IMHO the best way to document this in the supplied dovecot.conf would 
be:

   # PAM authentication. Preferred nowadays by most systems.
   # Note that PAM can only be used to verify if user's password is 
correct,
   # so it can't be used as userdb. If you don't want to use a separate 
user
   # database (passwd usually), you can use static userdb.
   passdb pam {
     # [-session] [cache_key=<key>] [<service name>]
     #
     # -session makes Dovecot open and immediately close PAM session. 
Some
     # PAM plugins need this to work.
     #
     # cache_key can be used to enable authentication caching for PAM
     # (auth_cache_size also needs to be set). It isn't enabled by 
default
     # because PAM modules can do all kinds of checks besides checking 
password,
     # such as checking IP address. Dovecot can't know about these checks
     # without some help. cache_key is simply a list of variables (see
     # doc/variables.txt) which must match for the cached data to be 
used.
     # Here are some examples:
     #   %u - Username must match. Probably sufficient for most uses.
     #   %u%r - Username and remote IP address must match.
     #   %u%s - Username and service (ie. IMAP, POP3) must match.
     #
     # If service name is "*", it means the authenticating service name
     # is used, eg. pop3 or imap.
     #
     # EXAMPLES:
     #
     # args = "-session cache_key=%n imap"
     # args = "-session *"
     # args = "*"
     args = "*"
   }

Or have I been really dumb to miss this?

It took me ages to get:

	passdb pam {
	args = "-session *"
	}

And the moment I did, it worked PERFECTLY.

Stroller.



More information about the dovecot mailing list