|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /proc/21573/root/usr/share/doc/dovecot-1.0.7/wiki/ |
Upload File : |
CheckPassword
=============
Checkpassword is an authentication interface originally implemented by qmail
[http://www.qmail.org/]. Checkpassword combines both the <password database>
[PasswordDatabase.txt] and <user database> [UserDatabase.txt] lookups into a
single checkpassword lookup, which makes it unsuitable for a standalone user
database.
Typically you'll use <prefetch> [UserDatabase.Prefetch.txt] as the userdb, but
it's not required that you use the checkpassword script's userdb capabilities.
You can still use for example<static userdb> [UserDatabase.Static.txt] if
you're using only a single UID and GID, and your home directory fits into a
template.
Deliver
-------
As mentioned above, checkpassword can't be used as a user database. This means
that if you wish to use<deliver> [LDA.txt], you can't use the '-d' parameter to
do userdb lookups. There are two ways to solve this:
1. Use another userdb which does the lookup for deliver, for example <SQL>
[AuthDatabase.SQL.txt] or <static> [UserDatabase.Static.txt]. Add this
userdb after the prefetch userdb.
2. Use a script to look up the user's home directory and run deliver without
'-d' parameter. For example:
---%<-------------------------------------------------------------------------
#!/bin/sh
# <<Lookup user's home directory here.>>
# If users have different UIDs/GIDs, make sure to also change this
# process's UID and GID. Note that only HOME environment is passed
# to deliver, you can't set MAIL or anything else.
export HOME
exec /usr/local/libexec/dovecot/deliver
---%<-------------------------------------------------------------------------
Checkpassword Interface
-----------------------
The interface is specified in http://cr.yp.to/checkpwd/interface.html. However
here's a quick tutorial for writing a script:
* Read '<username> NUL <password> NUL' from fd 3.
* Verify the username and password.
* If the authentication fails, exit with code 1. This makes Dovecot give
"Authentication failed" error to user.
* If you encounter an internal error, exit with code 111. This makes
Dovecot give "Temporary authentication failure" error to user.
* If the authentication succeeds, you'll need to:
* Set user's home directory to '$HOME' environment. This isn't required,
<but highly encouraged> [VirtualUsers.txt].
* If the user name is changes (eg. if you lowercased "Username" to
"username"), you can tell about it to Dovecot by setting '$USER'
environment.
* Change the process's effective UID and GID to the user's <UNIX UID and
GID> [UserIds.txt].
* Alternatively you could set 'userdb_uid' and 'userdb_gid' environments
and add them to 'EXTRA' environment (see below for Dovecot
extensions).
* Your program received a path to 'checkpassword-reply' binary as the first
parameter. Execute it.
Qmail-LDAP
----------
Note that auth_imap that comes with qmail-ldap is not compatible with this
interface. You should use auth_pop instead, but you may need to pass
/aliasempty/ to let auth_pop find the Maildir, so it is recommended to write a
/var/qmail/bin/auth_dovecot wrapper (don't forget to chmod +x it) around
auth_pop.
---%<-------------------------------------------------------------------------
#!/bin/sh
QMAIL="/var/qmail"
if [ -e $QMAIL/control/defaultdelivery ]; then
ALIASEMPTY=`head -n 1 $QMAIL/control/defaultdelivery 2> /dev/null`
else
ALIASEMPTY=`head -n 1 $QMAIL/control/aliasempty 2> /dev/null`
fi
ALIASEMPTY=${ALIASEMPTY:-"./Maildir/"}
exec $QMAIL/bin/auth_pop "$@" $ALIASEMPTY
---%<-------------------------------------------------------------------------
you can also use this wrapper to pass LOGLEVEL environmental variable to
auth_pop.
Dovecot Extensions
------------------
If you wish to return <extra fields> [PasswordDatabase.ExtraFields.txt] for
Dovecot, set them in environment variables and then list them in EXTRA
environment variable. The<userdb extra fields> [UserDatabase.ExtraFields.txt]
can be returned by prefixing them with 'userdb_'. For example:
---%<-------------------------------------------------------------------------
userdb_quota=maildir:storage=10000
userdb_mail=mbox:$HOME/mboxes
EXTRA=userdb_quota userdb_mail
---%<-------------------------------------------------------------------------
Dovecot also sets some environment variables that the script may use:
* 'SERVICE': contains eg. imap, pop3 or smtp
* 'TCPLOCALIP' and 'TCPREMOTEIP': Client socket's IP addresses if available
* 'MASTER_USER': If master login is attempted. This means that the password
contains the master user's password and the normal username contains the
user who master wants to log in as.
Example
-------
The standard way:
---%<-------------------------------------------------------------------------
passdb checkpassword {
args = /usr/bin/checkpassword
}
userdb prefetch {
}
# If you want to use deliver -d and your users are in SQL:
userdb sql {
args = /etc/dovecot-sql.conf
}
---%<-------------------------------------------------------------------------
Using checkpassword only to verify the password:
---%<-------------------------------------------------------------------------
passdb checkpassword {
args = /usr/bin/checkpassword
}
userdb static {
args = uid=500 gid=500 home=/home/%u
}
---%<-------------------------------------------------------------------------
(This file was created from the wiki on 2007-06-15 04:42)