summaryrefslogtreecommitdiffstats
path: root/doc/wiki/UserDatabase.txt
blob: 31a745c0609955e8908b8dfa43bbe9ed4b2cf711 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
User Databases
==============

After a user has been successfully authenticated, Dovecot looks up the user's
userdb information. The userdb lookup is also done by <LDA.txt> to find out how
to deliver mails for the user.

The user database lookup can return these fields:

 * *uid*: User's <UID> [UserIds.txt] (UNIX user ID), overrides the global
   'mail_uid' setting.
 * *gid*: User's <GID> [UserIds.txt] (UNIX group ID), overrides the global
   'mail_gid' setting.
 * *home*: User's <home directory> [VirtualUsers.Home.txt], overrides the
   global 'mail_home' setting. Although not required, it's <highly recommended
   even for virtual users> [VirtualUsers.Home.txt].
 * Optional <extra fields> [UserDatabase.ExtraFields.txt]
    * *user*: Changes the username (can also be done by the passdb lookup)
    * Overwriting all mail-related settings, for example:
       * *mail*: <Mail location> [MailLocation.txt], overrides the global
         'mail_location' setting.
       * *quota_rule* to specify per-user quota limit
    * The extra fields are also passed to <post-login scripts>
      [PostLoginScripting.txt]

The user and <password databases> [PasswordDatabase.txt] may be the same or
they may be different depending on your needs. You can also have <multiple
databases> [Authentication.MultipleDatabases.txt].

Currently supported user databases are:

 * <Passwd> [AuthDatabase.Passwd.txt]: System users (NSS, '/etc/passwd', or
   similiar)
 * <Passwd-file> [AuthDatabase.PasswdFile.txt]: '/etc/passwd'-like file in
   specified location
 * <NSS> [UserDatabase.NSS.txt]: Name Service Switch
 * <LDAP> [AuthDatabase.LDAP.txt]: Lightweight Directory Access Protocol
 * <SQL> [AuthDatabase.SQL.txt]: SQL database (PostgreSQL, MySQL, SQLite)
 * <Dict> [AuthDatabase.Dict.txt]: Dict key-value database (Redis, memcached,
   etc.)
 * <Static> [UserDatabase.Static.txt]: Userdb information generated from a
   given template
 * <VPopMail> [AuthDatabase.VPopMail.txt]: External software used to handle
   virtual domains
 * <Prefetch> [UserDatabase.Prefetch.txt]: This assumes that the passdb already
   returned also all the required user database information
 * <Lua> [AuthDatabase.Lua.txt]: Lua script for authentication (v2.3.0+)

Userdb settings
---------------

An example userdb entry might look like this:

---%<-------------------------------------------------------------------------
userdb {
  driver = passwd-file
  args = username_format=%n /etc/dovecot/users

  default_fields = uid=vmail gid=vmail
  override_fields =

  # v2.2.10+:
  skip = never
  result_failure = continue
  result_internalfail = continue
  result_success = return-ok

  # v2.2.24+:
  auth_verbose = default
}
---%<-------------------------------------------------------------------------

First we have the settings that provide content for the userdb lookup:

 * driver: The userdb backend name
 * args: Arguments for the userdb backend. The format of this value depends on
   the userdb driver. Each one uses different args.
 * default_fields: Userdb fields (and <extra fields>
   [UserDatabase.ExtraFields.txt]) that are used, unless overwritten by the
   userdb backend. They are in format 'key=value key2=value2 ...'. The values
   can contain <%variables> [Variables.txt].
 * override_fields: Same as default_fields, but instead of providing the
   default values, these values override what the userdb backend returned. For
   example useful with <userdb passwd> [AuthDatabase.Passwd.txt] for overriding
   e.g. home directory or the uid/gid.
 * auth_verbose: If this is explicitly set to yes or no, it overrides the
   global auth_verbose setting. (However, auth_debug=yes overrides the
   auth_verbose setting.) (v2.2.24+)

Then we have the setting which specify when the userdb is used (v2.2.10+):

 * skip: Do we sometimes want to skip over this userdb?
    * never
    * found: Skip if an earlier userdb already found the user
    * notfound: Skip if previous userdbs haven't yet found the user

And finally we can control what happens when we're finished with this userdb
(v2.2.10+):

 * result_success: What to do if the user was found from the userdb (default:
   return-ok)
 * result_failure: What to do if the user wasn't found from the userdb
   (default: continue)
 * result_internalfail: What to do if the userdb lookup had an internal failure
   (default: continue). If any of the userdbs had an internal failure and the
   final userdb also returns "continue", the lookup will fail with "internal
   error".*WARNING*: If multiple userdbs are required (results are merged),
   it's important to set result_internalfail=return-fail to them, otherwise the
   userdb lookup could still succeed but not all the intended extra fields are
   set.

The result values that can be used:

 * return-ok: Return success, don't continue to the next userdb.
 * return-fail: Return "user doesn't exist", don't continue to the next userdb.

 * return: Return earlier userdb's success or failure, don't continue to the
   next userdb. If this was the first userdb, return "user doesn't exist".
 * continue-ok: Set the current user existence state to "found", and continue
   to the next userdb.
 * continue-fail: Set the current user existence state to "not found", and
   continue to the next userdb.
 * continue: Continue to the next userdb without changing the user existence
   state. The initial state is "not found".

(This file was created from the wiki on 2019-06-19 12:42)