Can passdb be bypassed for non-plaintext authentication mechanisms
Aki Tuomi
aki.tuomi at dovecot.fi
Tue Dec 5 11:31:16 EET 2017
On 05.12.2017 08:05, Mark Foley wrote:
> I am using Active directory authentication via gssapi for most users. In dovecot.conf I have:
>
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
>
> I also have
>
> passdb { driver = shadow }
> userdb { driver = passwd }
>
> for those few users who are NOT AD users.
>
> Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks
> them up in shadow, which ALWAYS fails.
>
> The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with
> non-plaintext authentication mechanisms."
>
> Is there a way to bypass checking passdb (and userdb?) for these mechanism?
>
> --Mark
You can try:
passdb {
...
skip = authenticated
}
In very recent dovecot version you could use mechanism_filter too, but I
guess skip=authenticated should work.
Aki
More information about the dovecot
mailing list