Passwd
======

User is looked up using 'getpwent()' call, which usually looks into
'/etc/passwd' file, but depending on NSS
[http://en.wikipedia.org/wiki/Name_Service_Switch] configuration it may also
look up the user from eg. LDAP database.

Most commonly used as a user database. Many systems use shadow passwords
nowadays so it doesn't usually work as a password database. BSDs are an
exception to this, they still set the password field even with shadow
passwords.

The lookup is by default done in the primary dovecot-auth process, so if NSS is
configured to do the lookups from an external server, it slows down all the
other authentications while waiting for the reply. To avoid that, you can use
'blocking=yes' argument to do the lookups in auth worker processes:

---%<-------------------------------------------------------------------------
# NOTE: v1.0.rc23 and later only
userdb passwd {
  args = blocking=yes
}
---%<-------------------------------------------------------------------------

nss_ldap
--------

nss_ldap can in some cases return wrong user's information and cause users to
log in as each others. With 1.0.rc23 and later you can fix this by using the
'blocking=yes' setting as described above.

There's a nss_ldap bug about this in RedHat's Bugzilla
[https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154314].

If you are using *PAM + nss_ldap* for all of your login needs (empty
'/etc/passwd', '/etc/nsswitch.conf' uses 'passwd: ldap', etc.) then a good
starting configuration might look like:

---%<-------------------------------------------------------------------------
# NOTE: v1.0.rc23 and later only
  userdb passwd {
    args = blocking=yes
  }
  passdb pam {
    args = dovecot
  }
---%<-------------------------------------------------------------------------

This would be defined as: /blocking=no pam, blocking=yes nss_ldap: No memory
leaks. Fixes nss_ldap problems. Each PAM lookup is done in a forked process.
NSSlookups are done in auth worker processes. No lookup blocks others./ 

(This file was created from the wiki on 2007-04-13 14:32)
