X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=etc%2Fpam.d%2Fdovecot;fp=etc%2Fpam.d%2Fdovecot;h=ddf9a027563d023e512c6d5efe110ea4e1208428;hb=4ce691b560b037fc7a87219d92a175156c92f892;hp=0000000000000000000000000000000000000000;hpb=be02e552db38aa66658c5799f58e61bec39df736;p=matthijs%2Fservers%2Fdrsnuggles.git

diff --git a/etc/pam.d/dovecot b/etc/pam.d/dovecot
new file mode 100644
index 0000000..ddf9a02
--- /dev/null
+++ b/etc/pam.d/dovecot
@@ -0,0 +1,22 @@
+#%PAM-1.0
+
+# We have a common auth and account section, since we don't need to check the
+# "host" attribute, but the "mailHost" attribute. It would be sufficient to
+# use a custom account section, but pam_ldap only loads its config once, so we
+# can't use a different config for just the accoun section.
+
+# These are just taken from common-{auth,account}, but with the config=
+# parameter added.
+auth    required        pam_ldap.so config=/etc/pam_ldap_dovecot.conf
+
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account		required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+# We point the module to an alternative configuration file.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so config=/etc/pam_ldap_dovecot.conf
+
+@include common-session