Re: [Dovecot] Dovecot & pam_mkhomedir

19 Dec 2005 · _finally_


      Sorry to flood the list with this... but I've _finally_ figured out the
problem.
From what appears t be the correct syntax I find this difficult to read:
passdb pam {
    # [-session] [cache_key=&lt;key>] [&lt;service name>]
    #
    # -session makes Dovecot open and immediately close PAM session. 
Some
# PAM plugins need this to work.
#
# If service name is "*", it means the authenticating service name
# is used, eg. pop3 or imap.
args = "*"
}
That suggests to me that some of the following are valid syntax:
passdb pam {
    -session cache_key=%n
    args = "*"
}
or:
passdb pam { -session cache_key=%n imap
}
or:
passdb pam {
-session
cache_key=%n
imap
}
or:
passdb pam { -session cache_key=%n
args="imap"
}
For some of these, Dovecot refuses to start, for others it starts but
"-session" appears to be ignored. I think that for others the user
can't authenticate at all, but I've been trying a LOT of combinations
this evening, and I'm not clear on the correct logic of this & if the
guilty one is a combination I haven't remembered.
IMHO the best way to document this in the supplied dovecot.conf would
be:
PAM authentication. Preferred nowadays by most systems.
Note that PAM can only be used to verify if user's password is
correct,
so it can't be used as userdb. If you don't want to use a separate
user
database (passwd usually), you can use static userdb.
passdb pam {
# [-session] [cache_key=<key>] [<service name>]
#
# -session makes Dovecot open and immediately close PAM session.
Some
# PAM plugins need this to work.
#
# cache_key can be used to enable authentication caching for PAM
# (auth_cache_size also needs to be set). It isn't enabled by
default
# because PAM modules can do all kinds of checks besides checking
password,
# such as checking IP address. Dovecot can't know about these checks
# without some help. cache_key is simply a list of variables (see
# doc/variables.txt) which must match for the cached data to be
used.
# Here are some examples:
#   %u - Username must match. Probably sufficient for most uses.
#   %u%r - Username and remote IP address must match.
#   %u%s - Username and service (ie. IMAP, POP3) must match.
#
# If service name is "*", it means the authenticating service name
# is used, eg. pop3 or imap.
#
# EXAMPLES:
#
# args = "-session cache_key=%n imap"
# args = "-session *"
# args = "*"
args = "*"
}
Or have I been really dumb to miss this?
It took me ages to get:
passdb pam {
args = "-session *"
}
And the moment I did, it worked PERFECTLY.
Stroller.