On 7.1.2012, at 5.36, Yubao Liu wrote: > In old version, "auth->passdbs" contains all passdbs, this revision > changes "auth->passdbs" to only contain non-master passdbs. > > I'm not sure which fix is better or even my proposal is correct or fully: > a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to > auth->passdbs too, and remove duplicate code for masterdbs > in auth_init() and auth_deinit().
Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users. > b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), > auth_passdb_list_have_lookup_credentials(), > auth_passdb_list_have_set_credentials(). Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4 > Another related question is "pass" option in master passdb, if I set it to > "yes", > the authentication fails: .. > My normal passdb is a PAM passdb, it doesn't support credential lookups, > that's > reasonable, Right. > but I feel the comment for "pass" option is confusing: > > # Unless you're using PAM, you probably still want the destination user to > # be looked up from passdb that it really exists. pass=yes does that. > pass = yes > } > > According the comment, it's to check whether the real user exists, why not > to check userdb but another passdb? Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message. > Even it must check against passdb, > in this case, it's obvious not necessary to lookup credentials, it's enough to > to lookup user name only. There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)
