This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 11 and 12
Revision 11 as of 2009-03-15 22:35:09
Size: 2199
Editor: localhost
Comment: converted to 1.6 markup
Revision 12 as of 2010-03-12 05:13:06
Size: 2793
Editor: MARTINFOSTER-PC
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
Line 20: Line 19:
=== SQL ===
dovecot-sql.conf:
Line 21: Line 22:
=== SQL ===

dovecot-sql.conf:
Line 29: Line 27:
=== LDAP ===
dovecot-ldap.conf
Line 30: Line 30:
=== LDAP === format is <ldap attribute 1>=<dovecot field 1>,<ldap attribute 2>=<dovecot field 2>,...
Line 32: Line 32:
dovecot-ldap.conf:
Line 34: Line 33:
pass_attrs=uid=user,userPassword=password,proxy,hostName=host pass_attrs=uid=user,userPassword=password,someAttribute=proxy,hostName=host
Line 36: Line 35:
Note about the "proxy" or "proxy_maybe" fields: these represent an existence test.
Line 37: Line 37:
In LDAP, this translates to "will proxy (or proxy_maybe) if this attribute exists". This allows the proxy behaviour to be selectable per user. To have it "always" on, pick an attribute that's required to exist by schema, eg. "cn" if using the inetOrgPerson schema.

so if using the cn (common name) attribute, pass_attrs would be:

{{{
pass_attrs=uid=user,userPassword=password,cn=proxy,hostName=host
}}}
Line 38: Line 45:

Password database extra fields

The primary purpose of a password database lookup is to return the password for a given user. It may however also return other fields which are treated specially:

  • user: Change the username (eg. lowercase it).

  • allow_nets: Allow user to log in from only specified IPs.

  • proxy and proxy_maybe: Proxy the connection to another IMAP/POP3 server.

  • host: Send login referral to client.

  • nologin: User isn't actually allowed to log in even if the password matches, with optionally a different reason given as the authentication failure message.

  • nodelay: Don't delay reply to client in case of an authentication failure.

  • nopassword: v1.1+: If you want to allow all passwords, use an empty password and this field.

How to return these extra fields depends on the password database you use. See the password database pages on how to do it. Some passdbs however don't support returning them at all, such as PAM.

The password database may also return fields prefixed with userdb_. These fields are only saved and used later as if they came from the user database's extra fields. Typically this is done only when using prefetch userdb.

Note that boolean fields are true always if the field exists. So nodelay, nodelay=yes, nodelay=no and nodelay=0 all mean that the nodelay field is true. With SQL the field is considered to be non-existent if its value is NULL.

Examples

SQL

dovecot-sql.conf:

password_query = SELECT userid as user, password, 'Y' as proxy, host \
  FROM users WHERE userid = '%u'
# NOTE: Dovecot doesn't really support line splitting with '\' currently

LDAP

dovecot-ldap.conf

format is <ldap attribute 1>=<dovecot field 1>,<ldap attribute 2>=<dovecot field 2>,...

pass_attrs=uid=user,userPassword=password,someAttribute=proxy,hostName=host

Note about the "proxy" or "proxy_maybe" fields: these represent an existence test.

In LDAP, this translates to "will proxy (or proxy_maybe) if this attribute exists". This allows the proxy behaviour to be selectable per user. To have it "always" on, pick an attribute that's required to exist by schema, eg. "cn" if using the inetOrgPerson schema.

so if using the cn (common name) attribute, pass_attrs would be:

pass_attrs=uid=user,userPassword=password,cn=proxy,hostName=host

passwd-file

user:{plain}pass::::::proxy=y host=127.0.0.1

None: PasswordDatabase/ExtraFields (last edited 2019-09-11 14:02:20 by MichaelSlusarz)