president at irithm.com
2006-May-11 20:46 UTC
[Dovecot] comment on dovecot documentation on PAM
Dear Dovecote devotees, I have been going through dovecot configuration for the first time. I am not an experienced systems administrator so I had to do a left turn to read up about PAM while doing all the configuration for my new webmail service. I found that the writing in the dovecot documentation about PAM to be rather misleading in at least one aspect. The documentation I am specifically referring to is at http://wiki.dovecot.org/Authentication?highlight=%28authentication%29 and in the comments found in the dovecot.conf file. In this documentation PAM is referred to as a password database. It appears that is not correct, rather PAM is something that uses a password database. Since the default for "auth_passdb" given in dovecot.conf was "pam" I spent sometime trying to find a pam password database. I eventually found out at an independent website that what pam uses is either /etc/passwd or /etc/shadow or /etc/samba/smbpasswd. It was a relief to find out pam uses one of these, since my system has one of them (/etc/shadow), but I was looking to find something quite different for pam since /etc/shadow is one of the listed alternative values for "auth_passdb". I would have been spared a somewhat lengthy search to find out this information if the documentation was written rather more clearly. So, to help others, I suggest changing the following lines in dovecot.conf # Where password database is kept: # passwd: /etc/passwd or similiar, using getpwnam() # shadow: /etc/shadow or similiar, using getspnam() # pam [<service> | *]: PAM authentication to: # Where password database is kept: # passwd: /etc/passwd or similiar, using getpwnam() # shadow: /etc/shadow or similiar, using getspnam() # pam [<service> | *]: /etc/shadow or similiar, using PAM authentication Updating the documentation in http://wiki.dovecot.org/Authentication?highlight=%28authentication%29 to include a phrase that mentions that PAM authentication works from one of the standard password databases (i.e. /etc/passwd, /etc/shadow or /etc/samba/smbpasswd) would also be helpful. yours sincerely, Rolf
president at irithm.com wrote:> Dear Dovecote devotees, > > I have been going through dovecot configuration for the > first time. I am not an experienced systems administrator > so I had to do a left turn to read up about PAM while > doing all the configuration for my new webmail service. > > I found that the writing in the dovecot documentation about > PAM to be rather misleading in at least one aspect. > The documentation I am specifically referring to is at > http://wiki.dovecot.org/Authentication?highlight=%28authentication%29 > and in the comments found in the dovecot.conf file. > In this documentation PAM is referred to as a password database. > It appears that is not correct, rather PAM is something > that uses a password database. > > Since the default for "auth_passdb" given in dovecot.conf was > "pam" I spent sometime trying to find a pam password database. > I eventually found out at an independent website that what pam > uses is either /etc/passwd or /etc/shadow or /etc/samba/smbpasswd. > It was a relief to find out pam uses one of these, since > my system has one of them (/etc/shadow), but I was looking to > find something quite different for pam since /etc/shadow is > one of the listed alternative values for "auth_passdb". > > I would have been spared a somewhat lengthy search to find out > this information if the documentation was written rather more > clearly. So, to help others, I suggest changing the following > lines in dovecot.conf > > # Where password database is kept: > # passwd: /etc/passwd or similiar, using getpwnam() > # shadow: /etc/shadow or similiar, using getspnam() > # pam [<service> | *]: PAM authentication > > to: > > # Where password database is kept: > # passwd: /etc/passwd or similiar, using getpwnam() > # shadow: /etc/shadow or similiar, using getspnam() > # pam [<service> | *]: /etc/shadow or similiar, using PAM > authenticationOr maybe see http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules for even more ways to get Pam educated. Watch out for all the wikipedia entrys on Pamela Anderson tho, since they are not even remotely related to dovecot configuration. Ken A> > Updating the documentation in > http://wiki.dovecot.org/Authentication?highlight=%28authentication%29 > to include a phrase that mentions that PAM authentication > works from one of the standard password databases (i.e. /etc/passwd, > /etc/shadow or /etc/samba/smbpasswd) would also be helpful. > > yours sincerely, > > Rolf > > >
Hi all president at irithm.com wrote:> Dear Dovecote devotees, > > I have been going through dovecot configuration for the > first time. I am not an experienced systems administrator > so I had to do a left turn to read up about PAM while > doing all the configuration for my new webmail service. > > I found that the writing in the dovecot documentation about > PAM to be rather misleading in at least one aspect. > The documentation I am specifically referring to is at > http://wiki.dovecot.org/Authentication?highlight=%28authentication%29 > and in the comments found in the dovecot.conf file. > In this documentation PAM is referred to as a password database. > It appears that is not correct, rather PAM is something > that uses a password database.Strictly speaking, PAM is not something that uses a password database. It is an authentication system. Among other things, it checks if a given pair username/password is correct or no. Maybe trying an LDAP bind, but I'd not say that LDAP can be considered a 'password database'.> Since the default for "auth_passdb" given in dovecot.conf was > "pam" I spent sometime trying to find a pam password database.I agree with you that 'password database' is not the best term, but it is a minor issue. Any system administrator will understand what it refers to. Let me say that the separation between user lookup and authentication systems is one of the (many) good ideas in Dovecot. For example, it allows an administrator to access any account for solving problems without the need for the mechanism of 'master password'.> I eventually found out at an independent website that what pam > uses is either /etc/passwd or /etc/shadow or /etc/samba/smbpasswd. > It was a relief to find out pam uses one of these, since > my system has one of them (/etc/shadow), but I was looking to > find something quite different for pam since /etc/shadow is > one of the listed alternative values for "auth_passdb". > > I would have been spared a somewhat lengthy search to find out > this information if the documentation was written rather more > clearly. So, to help others, I suggest changing the following > lines in dovecot.conf > > # Where password database is kept: > # passwd: /etc/passwd or similiar, using getpwnam() > # shadow: /etc/shadow or similiar, using getspnam() > # pam [<service> | *]: PAM authentication > > to: > > # Where password database is kept: > # passwd: /etc/passwd or similiar, using getpwnam() > # shadow: /etc/shadow or similiar, using getspnam() > # pam [<service> | *]: /etc/shadow or similiar, using PAM > authentication > > > Updating the documentation in > http://wiki.dovecot.org/Authentication?highlight=%28authentication%29 > to include a phrase that mentions that PAM authentication > works from one of the standard password databases (i.e. /etc/passwd, > /etc/shadow or /etc/samba/smbpasswd) would also be helpful.I don't think that correction is necessary. Any system administrator must understand PAM not only for Dovecot, but for any service that requires authentication. The documentation of all those services cannot be a tutorial. Best regards. -- +----------------------------------------------^-----------------------+ | Luis Mel?ndez Aganzo ^ Email: luism at uco.es | | Servicio de Inform?tica ^ Tlf: 34-(9)57-211022 | | ?rea de Sistemas ^ Fax: 34-(9)57-218116 | | Universidad de C?rdoba (SPAIN) ^ http://www.uco.es | +----------------------------------------------^-----------------------+