Can passdb be bypassed for non-plaintext authentication mechanisms

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Can passdb be bypassed for non-plaintext authentication mechanisms

Mark Foley-2
I am using Active directory authentication via gssapi for most users.  In dovecot.conf I have:

auth_mechanisms = plain login gssapi
auth_use_winbind = yes

I also have

passdb { driver = shadow }
userdb { driver = passwd }

for those few users who are NOT AD users.

Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks
them up in shadow, which ALWAYS fails.

The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with
non-plaintext authentication mechanisms."

Is there a way to bypass checking passdb (and userdb?) for these mechanism?

--Mark
Reply | Threaded
Open this post in threaded view
|

Re: Can passdb be bypassed for non-plaintext authentication mechanisms

Aki Tuomi-2


On 05.12.2017 08:05, Mark Foley wrote:

> I am using Active directory authentication via gssapi for most users.  In dovecot.conf I have:
>
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
>
> I also have
>
> passdb { driver = shadow }
> userdb { driver = passwd }
>
> for those few users who are NOT AD users.
>
> Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks
> them up in shadow, which ALWAYS fails.
>
> The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with
> non-plaintext authentication mechanisms."
>
> Is there a way to bypass checking passdb (and userdb?) for these mechanism?
>
> --Mark

You can try:

passdb {
...

skip = authenticated
}

In very recent dovecot version you could use mechanism_filter too, but I
guess skip=authenticated should work.

Aki