Hi folks,
According to the wiki,? it's considered a feature of Dovecot and its
ability to support multiple authentication sources that "if the
password doesn't match in the first database, it checks the next
one".
?) http://wiki.dovecot.org/Authentication/MultipleDatabases
I think it's great that Dovecot allows auth sources to be stacked
like this, but I am not sold on the idea that the next database
ought to be tried when a *password* does not match. Let me
elaborate:
If the first database has knowledge of a user, then it can (should)
be considered authoritative, and if the provided password does not
match, it's an authentication error right away. Only if the first
source does not posess any knowledge about a given user, then should
Dovecot proceed to query/check with the next database.
Can this be configured somehow?
If not, would it make sense to make this behaviour configurable?
Thanks,
--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
"the ships hung in the sky in much the same way that bricks
don't."
-- hitchhiker's guide to the galaxy
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1107 bytes
Desc: Digital signature (see
http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151118/c87c31da/attachment.sig>
> On 17 Nov 2015, at 22:51, martin f krafft <madduck at madduck.net> wrote: > > Hi folks, > > According to the wiki,? it's considered a feature of Dovecot and its > ability to support multiple authentication sources that "if the > password doesn't match in the first database, it checks the next > one". > > ?) http://wiki.dovecot.org/Authentication/MultipleDatabases > > I think it's great that Dovecot allows auth sources to be stacked > like this, but I am not sold on the idea that the next database > ought to be tried when a *password* does not match. Let me > elaborate: > > If the first database has knowledge of a user, then it can (should) > be considered authoritative, and if the provided password does not > match, it's an authentication error right away. Only if the first > source does not posess any knowledge about a given user, then should > Dovecot proceed to query/check with the next database. > > Can this be configured somehow? > If not, would it make sense to make this behaviour configurable?Well, your topic is PAM.. And PAM doesn't necessarily tell you if the problem is that the user doesn't exist or that the password doesn't match. Another similar problem is checkpassword script. And LDAP with auth_bind=yes. And some ways of configuring SQL.. But.. Right now passdb has result_success, result_failure and result_internalfail. I suppose it should be possible to add result_user_unknown there that defaults to result_failure if it's not explicitly set. It wouldn't work with all passdb setups, but it would work for some. I've added it to my TODO list, but that's quite long already and this is near the bottom of it. So if you want it to be added to Dovecot anytime soon please send a patch. Shouldn't be difficult to implement.
also sprach Timo Sirainen <tss at iki.fi> [2015-11-21 14:14 +1300]:> Well, your topic is PAM.Is it? My point is that PAM should not even be asked if an authentication source beforehand knows about a user but the password cannot be verified.> But.. Right now passdb has result_success, result_failure and > result_internalfail. I suppose it should be possible to add > result_user_unknown there that defaults to result_failure if it's > not explicitly set.result_user_known should be resturned when the authentication source does not know about a user. If the authentication source knows a user but fails to authenticate him/her due to a password mismatch, the result should rather be result_auth_failure. Those two should really replace result_failure and the dovecot authentication stack should only continue on result_user_known or result_internalfail. If we get result_success or result_auth_failure, then authentication is done and no further sources should be considered. -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ only by counting could humans demonstrate their independence of computers. -- douglas adams, "the hitchhiker's guide to the galaxy" spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: <http://dovecot.org/pipermail/dovecot/attachments/20151121/2b9af75f/attachment.sig>