This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 4 and 5
Revision 4 as of 2007-06-13 00:18:04
Size: 1355
Editor: TimoSirainen
Comment:
Revision 5 as of 2007-08-01 13:27:23
Size: 2201
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Dovecot authenticates users from a password database. It needs to contain only usernames and their passwords. The passdb may also return special [wiki:PasswordDatabase/ExtraFields extra fields]. Dovecot authenticates users from password databases. It can also be used to configure things like [:PasswordDatabase/ExtraFields/Proxy:proxies].
Line 5: Line 5:
Dovecot supports defining multiple password databases, so that if the password doesn't match in the first database, it checks the next one. This can be useful if you want to easily support having both virtual users and also local system users in `/etc/passwd`. You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see ["Authentication/MultipleDatabases"]).
Line 7: Line 7:
Currently supported password databases (note that some of them can also be used as user databases): == Success/failure databases ==
Line 9: Line 9:
 * [wiki:PasswordDatabase/PAM PAM]: Pluggable Authentication Modules
 * [wiki:AuthDatabase/Passwd Passwd]: System users (NSS, `/etc/passwd`, or similiar)
 * [wiki:PasswordDatabase/Shadow Shadow]: Shadow passwords for system users (NSS, `/etc/shadow` or similiar)
 * [wiki:AuthDatabase/PasswdFile Passwd-file]: `/etc/passwd`-like file in specified location
 * [wiki:AuthDatabase/LDAP LDAP]: Lightweight Directory Access Protocol
 * [wiki:AuthDatabase/SQL SQL]: SQL database (PostgreSQL, MySQL, SQLite)
 * [wiki:PasswordDatabase/BSDAuth BSDAuth]: BSD authentication
 * [wiki:AuthDatabase/VPopMail VPopMail]: External software used to handle virtual domains
 * [wiki:PasswordDatabase/CheckPassword checkpassword]: External checkpassword program which is run
These databases simply verify if the given password is correct for the user. Dovecot doesn't get the correct password from the database, it only gets a "success" or a "failure" reply. This means that these databases can't be used with non-plaintext [:Authentication/Mechanisms:authentication mechanisms].

Databases that belong to this category are:

 * [:PasswordDatabase/PAM:PAM]: Pluggable Authentication Modules.
 * [:PasswordDatabase/BSDAuth:BSDAuth]: BSD authentication.
 * [:PasswordDatabase/CheckPassword:CheckPassword]: External checkpassword program.

== Lookup databases ==

Dovecot does a lookup based on the username and possibly other information (e.g. IP address) and verifies the password validity itself. Fields that the lookup can return:

 * [:Authentication/PasswordSchemes:password]: User's password.
 * [:PasswordDatabase/ExtraFields/User:user]: Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user").
 * Other special [:PasswordDatabase/ExtraFields:extra fields].

Databases that support looking up only passwords, but no user or extra fields:

 * [:AuthDatabase/Passwd:Passwd]: System users (NSS, {{{/etc/passwd}}}, or similiar).
 * [:PasswordDatabase/Shadow:Shadow]: Shadow passwords for system users (NSS, {{{/etc/shadow}}} or similiar).
 * [:AuthDatabase/VPopMail:VPopMail]: External software used to handle virtual domains.

Databases that support looking up everything:

 * [:AuthDatabase/PasswdFile:Passwd-file]: {{{/etc/passwd}}}-like file in specified location.
 * [:AuthDatabase/LDAP:LDAP]: Lightweight Directory Access Protocol.
 * [:AuthDatabase/SQL:SQL]: SQL database (PostgreSQL, MySQL, SQLite).

Password Databases

Dovecot authenticates users from password databases. It can also be used to configure things like [:PasswordDatabase/ExtraFields/Proxy:proxies].

You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see ["Authentication/MultipleDatabases"]).

Success/failure databases

These databases simply verify if the given password is correct for the user. Dovecot doesn't get the correct password from the database, it only gets a "success" or a "failure" reply. This means that these databases can't be used with non-plaintext [:Authentication/Mechanisms:authentication mechanisms].

Databases that belong to this category are:

Lookup databases

Dovecot does a lookup based on the username and possibly other information (e.g. IP address) and verifies the password validity itself. Fields that the lookup can return:

  • [:Authentication/PasswordSchemes:password]: User's password.

  • [:PasswordDatabase/ExtraFields/User:user]: Returning a user field can be used to change the username. Typically used only for case changes (e.g. "UseR" -> "user").

  • Other special [:PasswordDatabase/ExtraFields:extra fields].

Databases that support looking up only passwords, but no user or extra fields:

  • [:AuthDatabase/Passwd:Passwd]: System users (NSS, /etc/passwd, or similiar).

  • [:PasswordDatabase/Shadow:Shadow]: Shadow passwords for system users (NSS, /etc/shadow or similiar).

  • [:AuthDatabase/VPopMail:VPopMail]: External software used to handle virtual domains.

Databases that support looking up everything:

  • [:AuthDatabase/PasswdFile:Passwd-file]: /etc/passwd-like file in specified location.

  • [:AuthDatabase/LDAP:LDAP]: Lightweight Directory Access Protocol.

  • [:AuthDatabase/SQL:SQL]: SQL database (PostgreSQL, MySQL, SQLite).

None: PasswordDatabase (last edited 2010-04-14 00:47:30 by unknown)