dovecot - Dec 2013 - problem with password in a changing scenario

Hello,

   I'm having a problem with with password changing. According to  
http://wiki2.dovecot.org/Authentication/Caching, I understand "normal  
scenario" and "Using old cached password scenario", but I'm
having a
problem with the "Early change scenario".

   I understand that in this case, if in step 4 user tries password Y,  
then this password is not tried again and login fails. But if the user  
tries another password Z, then is it test it? Or does it directly  
fail? I think that it is directly failing.

   And here is my problem... I am using dovecot with a ldap backend  
and another pam backend. The first one is users connecting with an  
email client. The other one applies when the ldap backend fails and it  
is use for connections from our webmail, which is integrated in our  
CAS SSO environment (it has running an imap proxy too). Sometimes (the  
only scenari we were able to reproduce is with users that for some  
reason has two SSO sessions opened) dovecot receives an invalid CAS  
ticket, then authentication fails, and no newer tickets are tried  
until cache is clean. That's why I think that in this scenario another  
Z password is even tried.

   Any idea?

-- 
Angel L. Mateo Mart?nez
Secci?n de Telem?tica
?rea de Tecnolog?as de la Informaci?n
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 868888337
-------------- next part --------------
# 2.1.16: /etc/dovecot/dovecot.conf
# OS: Linux 3.4.0-030400-generic x86_64 Ubuntu 12.04.3 LTS 
auth_cache_size = 20 M
auth_cache_ttl = 1 days
auth_master_user_separator = *
default_process_limit = 1024
disable_plaintext_auth = no
imapc_features = rfc822.size
imapc_host = myotis30.um.es
imapc_master_user = master
imapc_password = VAsGowem
log_timestamp = %Y-%m-%d %H:%M:%S
login_trusted_networks = 155.54.211.176/28
mail_attachment_dir = /mail/users/attachments
mail_gid = vmail
mail_home = /mail/users/mailboxes/%2Ln/%Ln
mail_location = mdbox:%h/mdbox:INDEX=/mail/indexes/%2Ln/%Ln
mail_plugins = quota zlib lazy_expunge acl stats
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
mdbox_rotate_size = 50 M
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = .
}
namespace {
  hidden = yes
  list = no
  location = mdbox:%h/expunged:INDEX=/mail/indexes/%2Ln/%Ln/expunged
  prefix = BORRADOS.
  separator = .
}
namespace {
  list = children
  location = mdbox:%%h/mdbox:INDEX=/mail/indexes/%%2Ln/%%Ln
  prefix = shared.%%u.
  separator = .
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = session=yes cache_key=%Ln dovecot
  driver = pam
}
plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=3600
  lazy_expunge = BORRADOS.
  quota = dict:User quota::file:%h/quota
  quota_rule = *:storage=10G
  quota_rule2 = Trash:storage=+1G
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_max_redirects = 15
  stats_refresh = 30 secs
  stats_track_cmds = yes
  zlib_save = gz
  zlib_save_level = 6
}
postmaster_address = postmaster at um.es
protocols = " imap lmtp sieve pop3 sieve"
service anvil {
  client_limit = 3075
}
service auth {
  client_limit = 4096
  unix_listener auth-userdb {
    mode = 0777
  }
}
service doveadm {
  inet_listener {
    port = 24245
  }
}
service imap {
  process_limit = 10240
  process_min_avail = 6
  vsz_limit = 512 M
}
service ipc {
  unix_listener ipc {
    user = dovecot
  }
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
  process_min_avail = 10
  vsz_limit = 512 M
}
service pop3 {
  process_min_avail = 6
}
service stats {
  fifo_listener stats-mail {
    mode = 0666
  }
}
ssl = no
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lmtp {
  mail_plugins = quota zlib lazy_expunge acl stats sieve
}
protocol lda {
  mail_plugins = quota zlib lazy_expunge acl stats sieve
}
protocol imap {
  mail_plugins = quota zlib lazy_expunge acl stats imap_quota imap_acl
}
protocol pop3 {
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, in=%i, out=%o
}
local 155.54.211.160/27/27 {
  doveadm_password = <password>
}