Can passdb be bypassed for non-plaintext authentication mechanisms

Aki Tuomi aki.tuomi at dovecot.fi
Tue Dec 5 11:31:16 EET 2017



On 05.12.2017 08:05, Mark Foley wrote:
> I am using Active directory authentication via gssapi for most users.  In dovecot.conf I have:
>
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
>
> I also have
>
> passdb { driver = shadow }
> userdb { driver = passwd }
>
> for those few users who are NOT AD users.
>
> Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks
> them up in shadow, which ALWAYS fails. 
>
> The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with
> non-plaintext authentication mechanisms."
>
> Is there a way to bypass checking passdb (and userdb?) for these mechanism?
>
> --Mark

You can try:

passdb {
...

skip = authenticated
}

In very recent dovecot version you could use mechanism_filter too, but I
guess skip=authenticated should work.

Aki


More information about the dovecot mailing list