[Dovecot] Authentication cache, failure to login after changed password

Timo Sirainen tss at iki.fi
Tue Jan 20 16:29:22 EET 2009


On Tue, 2009-01-20 at 09:53 +0100, Tom Sommer wrote:
> sql(user at example.com,127.0.0.1): query: SELECT username as user, 
> plainpassword as password, nopassword FROM cyrususers WHERE username = 
> 'user at example.com' AND password = PASSWORD('SECRET') AND active = 1
> dovecot: Jan 20 09:01:18 Info: auth-worker(default): 
> sql(user at example.com,127.0.0.1): unknown user
..
> It appears the user missed the cache, a SQL lookup is performed (which 
> returns 1 record, I tested the query directly) - however for some reason 
> the lookup is set as Unknown User, a state which it then keeps. 

It's most likely set to unknown user because the password=PASSWORD()
check fails and no rows are returned. If you're already returning
plainpassword for Dovecot, why do you do the password check also in the
SQL query? That doesn't allow Dovecot to differentiate between unknown
user and invalid password.

> Obviously I can adjust this with auth_cache_negative_ttl, but I presumed 
> the default value was always 0

Nope, 3600.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090120/69672bb2/attachment.bin 


More information about the dovecot mailing list