This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 2 and 3
Revision 2 as of 2006-06-04 09:02:18
Size: 2194
Editor: ChaseTec
Comment:
Revision 3 as of 2006-06-05 21:16:59
Size: 2332
Comment: Revise spelling and wording.
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= PAM = = PAM - Pluggable Authentication Modules =
Line 3: Line 3:
Pluggable Authentication Modules. This is the most common way to authenticate system users nowadays. PAM isn't itself a password database, but rather its configuration tells how exactly to do the authentication. Usually this means using `pam_unix.so` module which authenticates user from system's shadow password file. This is the most common way to authenticate system users nowadays. PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. Usually this means using the `pam_unix.so` module which authenticates user from the system's shadow password file.
Line 5: Line 5:
Because PAM isn't an actual database, only with plaintext authentication mechanisms can be used with PAM. PAM can't be used as user database either. Usually PAM is used with passwd or static userdbs. Because PAM is not an actual database, only plaintext authentication mechanisms can be used with PAM. PAM cannot be used as user database either. Usually PAM is used with passwd or static user databases or NSS (Name Service Switch).
Line 7: Line 7:
The PAM configuration is usually in `/etc/pam.d/` directory. By default Dovecot uses `dovecot` PAM service name, so the configuration is read from `/etc/pam.d/dovecot` file. You can change this by appending the wanted service name after `auth_passdb = pam`, eg. `auth_passdb = pam imap` would use `/etc/pam.d/imap`. You can also set the service to `*` in which case Dovecot automatically uses either `imap` or `pop3` service depending on which one user is using to login. The PAM configuration is usually in the `/etc/pam.d/` directory (older systems may use a single file, `/etc/pam.conf`). By default Dovecot uses `dovecot` for the PAM service name, so the configuration is read from `/etc/pam.d/dovecot`. You can change this by appending the desired service name after `auth_passdb = pam`, e. g. `auth_passdb = pam imap` would use `/etc/pam.d/imap`. You can also set the service to `*` in which case Dovecot automatically uses either `imap` or `pop3` service, depending on the actual service the user is logging in to.
Line 9: Line 9:
By giving `session=yes` parameter you can make Dovecot open a PAM session and close it immediately. Some PAM plugins, such as `pam_mkhomedir`, need this. With this parameter `/etc/dovecot.conf` might look something like this: By giving a `session=yes` parameter, you can make Dovecot open a PAM session and close it immediately. Some PAM plugins need this, for instance `pam_mkhomedir`. With this parameter, `/etc/dovecot.conf` might look something like this:
Line 12: Line 12:
passdb pam {  passdb pam {
Line 14: Line 14:
}
}}}
} }}}
Line 19: Line 18:
Here's an example `/etc/pam.d/dovecot` configuration file which uses standard
UNIX authentication:
Here is an example `/etc/pam.d/dovecot` configuration file which uses standard UNIX authentication:
Line 24: Line 22:
account required pam_unix.so
}}}
account required pam_unix.so }}}
Line 27: Line 24:
For Solaris you'll have to edit `/etc/pam.conf`. Here's a working Solaris example: For Solaris you will have to edit `/etc/pam.conf`. Here is a working Solaris example:
Line 32: Line 29:
imap session required pam_unix_session.so.1
}}}
imap session required pam_unix_session.so.1 }}}
Line 43: Line 39:
session required pam_uwtmp.so
}}}
session required pam_uwtmp.so }}}

PAM - Pluggable Authentication Modules

This is the most common way to authenticate system users nowadays. PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. Usually this means using the pam_unix.so module which authenticates user from the system's shadow password file.

Because PAM is not an actual database, only plaintext authentication mechanisms can be used with PAM. PAM cannot be used as user database either. Usually PAM is used with passwd or static user databases or NSS (Name Service Switch).

The PAM configuration is usually in the /etc/pam.d/ directory (older systems may use a single file, /etc/pam.conf). By default Dovecot uses dovecot for the PAM service name, so the configuration is read from /etc/pam.d/dovecot. You can change this by appending the desired service name after auth_passdb = pam, e. g. auth_passdb = pam imap would use /etc/pam.d/imap. You can also set the service to * in which case Dovecot automatically uses either imap or pop3 service, depending on the actual service the user is logging in to.

By giving a session=yes parameter, you can make Dovecot open a PAM session and close it immediately. Some PAM plugins need this, for instance pam_mkhomedir. With this parameter, /etc/dovecot.conf might look something like this:

passdb pam {
  args = session=yes *
} 

Dovecot should work with Linux PAM, Solaris PAM, OpenPAM (FreeBSD) and ApplePAM (Mac OS X).

Here is an example /etc/pam.d/dovecot configuration file which uses standard UNIX authentication:

auth    required        pam_unix.so nullok
account required        pam_unix.so 

For Solaris you will have to edit /etc/pam.conf. Here is a working Solaris example:

imap    auth    required        pam_unix_auth.so.1
imap    account required        pam_unix_account.so.1
imap    session required        pam_unix_session.so.1 

On Mac OS X, the /etc/pam.d/dovecot file should look like this:

auth       required       pam_nologin.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_uwtmp.so 

None: PasswordDatabase/PAM (last edited 2019-09-12 08:23:18 by MichaelSlusarz)