[Dovecot] comment on dovecot documentation on PAM
Luis Meléndez
luism at uco.es
Fri May 12 19:12:28 EEST 2006
Hi all
president at irithm.com wrote:
> Dear Dovecote devotees,
>
> I have been going through dovecot configuration for the
> first time. I am not an experienced systems administrator
> so I had to do a left turn to read up about PAM while
> doing all the configuration for my new webmail service.
>
> I found that the writing in the dovecot documentation about
> PAM to be rather misleading in at least one aspect.
> The documentation I am specifically referring to is at
> http://wiki.dovecot.org/Authentication?highlight=%28authentication%29
> and in the comments found in the dovecot.conf file.
> In this documentation PAM is referred to as a password database.
> It appears that is not correct, rather PAM is something
> that uses a password database.
Strictly speaking, PAM is not something that uses a password database.
It is an authentication system. Among other things, it checks if a
given pair username/password is correct or no. Maybe trying an LDAP bind,
but I'd not say that LDAP can be considered a 'password database'.
> Since the default for "auth_passdb" given in dovecot.conf was
> "pam" I spent sometime trying to find a pam password database.
I agree with you that 'password database' is not the best term,
but it is a minor issue. Any system administrator will understand
what it refers to. Let me say that the separation between user
lookup and authentication systems is one of the (many) good
ideas in Dovecot. For example, it allows an administrator to
access any account for solving problems without the need for
the mechanism of 'master password'.
> I eventually found out at an independent website that what pam
> uses is either /etc/passwd or /etc/shadow or /etc/samba/smbpasswd.
> It was a relief to find out pam uses one of these, since
> my system has one of them (/etc/shadow), but I was looking to
> find something quite different for pam since /etc/shadow is
> one of the listed alternative values for "auth_passdb".
>
> I would have been spared a somewhat lengthy search to find out
> this information if the documentation was written rather more
> clearly. So, to help others, I suggest changing the following
> lines in dovecot.conf
>
> # Where password database is kept:
> # passwd: /etc/passwd or similiar, using getpwnam()
> # shadow: /etc/shadow or similiar, using getspnam()
> # pam [<service> | *]: PAM authentication
>
> to:
>
> # Where password database is kept:
> # passwd: /etc/passwd or similiar, using getpwnam()
> # shadow: /etc/shadow or similiar, using getspnam()
> # pam [<service> | *]: /etc/shadow or similiar, using PAM
> authentication
>
>
> Updating the documentation in
> http://wiki.dovecot.org/Authentication?highlight=%28authentication%29
> to include a phrase that mentions that PAM authentication
> works from one of the standard password databases (i.e. /etc/passwd,
> /etc/shadow or /etc/samba/smbpasswd) would also be helpful.
I don't think that correction is necessary. Any system administrator
must understand PAM not only for Dovecot, but for any service that requires
authentication. The documentation of all those services cannot be a
tutorial.
Best regards.
--
+----------------------------------------------^-----------------------+
| Luis Meléndez Aganzo ^ Email: luism at uco.es |
| Servicio de Informática ^ Tlf: 34-(9)57-211022 |
| Área de Sistemas ^ Fax: 34-(9)57-218116 |
| Universidad de Córdoba (SPAIN) ^ http://www.uco.es |
+----------------------------------------------^-----------------------+
More information about the dovecot
mailing list