This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 11 and 12
Revision 11 as of 2009-02-22 03:28:44
Size: 2925
Editor: TimoSirainen
Comment:
Revision 12 as of 2009-03-15 22:35:09
Size: 2941
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Dovecot authenticates users against password databases. It can also be used to configure things like [:PasswordDatabase/ExtraFields/Proxy:proxies]. Dovecot authenticates users against password databases. It can also be used to configure things like [[PasswordDatabase/ExtraFields/Proxy|proxies]].
Line 5: Line 5:
You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see ["Authentication/MultipleDatabases"]). You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see [[Authentication/MultipleDatabases]]).
Line 9: Line 9:
These databases simply verify if the given password is correct for the user. Dovecot doesn't get the correct password from the database, it only gets a "success" or a "failure" reply. This means that these databases can't be used with non-plaintext [:Authentication/Mechanisms:authentication mechanisms]. These databases simply verify if the given password is correct for the user. Dovecot doesn't get the correct password from the database, it only gets a "success" or a "failure" reply. This means that these databases can't be used with non-plaintext [[Authentication/Mechanisms|authentication mechanisms]].
Line 13: Line 13:
 * [:PasswordDatabase/PAM:PAM]: Pluggable Authentication Modules.
 * [:PasswordDatabase/BSDAuth:BSDAuth]: BSD authentication.
 * [:AuthDatabase/CheckPassword:CheckPassword]: External checkpassword program.
 * [[PasswordDatabase/PAM|PAM]]: Pluggable Authentication Modules.
 * [[PasswordDatabase/BSDAuth|BSDAuth]]: BSD authentication.
 * [[AuthDatabase/CheckPassword|CheckPassword]]: External checkpassword program.
Line 17: Line 17:
[[Anchor(lookupdbs)]] <<Anchor(lookupdbs)>>
Line 22: Line 22:
 * [:Authentication/PasswordSchemes:password]: User's password.
  * password_noscheme: Like "password", but if a password begins with "{", assume it belongs to the password itself instead of treating it as a [:Authentication/PasswordSchemes:scheme] prefix. This is usually needed only if you use plaintext passwords. v1.0.8+ only.
 * [:PasswordDatabase/ExtraFields/User:user]: Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user").
 * [[Authentication/PasswordSchemes|password]]: User's password.
  * password_noscheme: Like "password", but if a password begins with "{", assume it belongs to the password itself instead of treating it as a [[Authentication/PasswordSchemes|scheme]] prefix. This is usually needed only if you use plaintext passwords. v1.0.8+ only.
 * [[PasswordDatabase/ExtraFields/User|user]]: Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user").
Line 27: Line 27:
 * Other special [:PasswordDatabase/ExtraFields:extra fields].  * Other special [[PasswordDatabase/ExtraFields|extra fields]].
Line 31: Line 31:
 * [:AuthDatabase/Passwd:Passwd]: System users (NSS, {{{/etc/passwd}}}, or similiar).
 * [:PasswordDatabase/Shadow:Shadow]: Shadow passwords for system users (NSS, {{{/etc/shadow}}} or similiar).
   * Dovecot supports reading all [:Authentication/PasswordSchemes:password schemes] from passwd and shadow databases (if prefix is specified), but that is of course incompatible with all other tools using/modifying the passwords.
 * [:AuthDatabase/VPopMail:VPopMail]: External software used to handle virtual domains.
 * [[AuthDatabase/Passwd|Passwd]]: System users (NSS, {{{/etc/passwd}}}, or similiar).
 * [[PasswordDatabase/Shadow|Shadow]]: Shadow passwords for system users (NSS, {{{/etc/shadow}}} or similiar).
   * Dovecot supports reading all [[Authentication/PasswordSchemes|password schemes]] from passwd and shadow databases (if prefix is specified), but that is of course incompatible with all other tools using/modifying the passwords.
 * [[AuthDatabase/VPopMail|VPopMail]]: External software used to handle virtual domains.
Line 38: Line 38:
 * [:AuthDatabase/PasswdFile:Passwd-file]: {{{/etc/passwd}}}-like file in specified location.
 * [:AuthDatabase/LDAP:LDAP]: Lightweight Directory Access Protocol.
 * [:AuthDatabase/SQL:SQL]: SQL database (PostgreSQL, MySQL, SQLite).
 * [[AuthDatabase/PasswdFile|Passwd-file]]: {{{/etc/passwd}}}-like file in specified location.
 * [[AuthDatabase/LDAP|LDAP]]: Lightweight Directory Access Protocol.
 * [[AuthDatabase/SQL|SQL]]: SQL database (PostgreSQL, MySQL, SQLite).

Password Databases

Dovecot authenticates users against password databases. It can also be used to configure things like proxies.

You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see Authentication/MultipleDatabases).

Success/failure databases

These databases simply verify if the given password is correct for the user. Dovecot doesn't get the correct password from the database, it only gets a "success" or a "failure" reply. This means that these databases can't be used with non-plaintext authentication mechanisms.

Databases that belong to this category are:

  • PAM: Pluggable Authentication Modules.

  • BSDAuth: BSD authentication.

  • CheckPassword: External checkpassword program.

Lookup databases

Dovecot does a lookup based on the username and possibly other information (e.g. IP address) and verifies the password validity itself. Fields that the lookup can return:

  • password: User's password.

    • password_noscheme: Like "password", but if a password begins with "{", assume it belongs to the password itself instead of treating it as a scheme prefix. This is usually needed only if you use plaintext passwords. v1.0.8+ only.

  • user: Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user").

    • username: Like user, but doesn't drop existing domain name (e.g. "username=foo" for "user@domain" gives "foo@domain"). v1.1+ only.
    • domain: Updates the domain part of the username. v1.1+ only.
  • Other special extra fields.

Databases that support looking up only passwords, but no user or extra fields:

  • Passwd: System users (NSS, /etc/passwd, or similiar).

  • Shadow: Shadow passwords for system users (NSS, /etc/shadow or similiar).

    • Dovecot supports reading all password schemes from passwd and shadow databases (if prefix is specified), but that is of course incompatible with all other tools using/modifying the passwords.

  • VPopMail: External software used to handle virtual domains.

Databases that support looking up everything:

  • Passwd-file: /etc/passwd-like file in specified location.

  • LDAP: Lightweight Directory Access Protocol.

  • SQL: SQL database (PostgreSQL, MySQL, SQLite).

None: PasswordDatabase (last edited 2010-04-14 00:47:30 by unknown)