[Dovecot] Auth Issues - Urgent - Help!

David Cunningham davec at mecnet.net
Fri Nov 21 21:50:44 EET 2008 

I think the last thing you say is exactly what is happening to me.  I  
think the user is updating the password, but a slight delay in my LDAP  
replication is causing them to try the new password before it is  
actually the new password.

Yes, I was refering to auth_cache_negative_ttl=0.  I didn't realize  
that was user not found only.  Is there any way to force the cache to  
check the password for anything that was not previously cached as  
being the correct password?

Dave

Quoting Timo Sirainen <tss at iki.fi>:

> On Wed, 2008-11-19 at 22:17 -0500, David Cunningham wrote:
>> Well, most of my issues are gone with adding auth cache.  However, I
>> am having an issue.  Sometimes, even though cache incorrect passwords
>> is disabled,
>
> Do you mean auth_cache_negative_ttl=0 by this? It only affects "user not
> found" caching.
>
>> new passwords do not work.  It would seem that once a
>> user logs in with one password successfully the cache does not
>> automatically retry if the user tries a different passwords.  I would
>> think that the auth cache should check to see if the password changed
>> on the ldap server if something other than the cached password is
>> entered.
>>
>> Is this something wrong with my configuraiton, or the auth code itself?
>
> The way it should work is that:
>
> 1) User logs in with password X which succeeds.
> 2) Password is changed to Y.
> 3) User logs in with password Y. Dovecot sees that X != Y, but it sees
> that the previous auth succeeded, so it'll do an auth lookup, sees that
> the password was changed and caches it.
>
> But this can also happen:
>
> 1) User logs in with password X which succeeds.
> 2) Password is changed to Y.
> 3) User logs in with password X, which succeeds.
>
> Or:
>
> 1) User logs in with password X which succeeds.
> 2) User logs in with password Y. Dovecot sees that X != Y, but it sees
> that the previous auth succeeded, so it'll do an auth lookup and sees
> that the password wasn't changed.
> 3) Password is changed to Y.
> 4) User logs in with password Y. Dovecot sees that X != Y, but it sees
> that the previous auth failed, so it doesn't bother doing another
> lookup.
>
> Can you consistently make Dovecot behave differently as described above?
>

More information about the dovecot mailing list