Password Databases
==================

Dovecot authenticates users against password databases. It can also be used to
configure things like <proxies> [PasswordDatabase.ExtraFields.Proxy.txt].

You can use multiple databases, so if the password doesn't match in the first
database, Dovecot checks the next one. This can be useful if you want to easily
support having both virtual users and also local system users (see
<Authentication.MultipleDatabases.txt>).

Success/failure databases
-------------------------

These databases simply verify if the given password is correct for the user.
Dovecot doesn't get the correct password from the database, it only gets a
"success" or a "failure" reply. This means that these databases can't be used
with non-plaintext <authentication mechanisms> [Authentication.Mechanisms.txt].

Databases that belong to this category are:

 * <PAM> [PasswordDatabase.PAM.txt]: Pluggable Authentication Modules.
 * <BSDAuth> [PasswordDatabase.BSDAuth.txt]: BSD authentication.
 * <CheckPassword> [AuthDatabase.CheckPassword.txt]: External checkpassword
   program.

Lookup databases
----------------

Dovecot does a lookup based on the username and possibly other information
(e.g. IP address) and verifies the password validity itself. Fields that the
lookup can return:

 * <password> [Authentication.PasswordSchemes.txt]: User's password.
    * password_noscheme: Like "password", but if a password begins with "{",
      assume it belongs to the password itself instead of treating it as a
      <scheme> [Authentication.PasswordSchemes.txt] prefix. This is usually
      needed only if you use plaintext passwords.
 * <user> [PasswordDatabase.ExtraFields.User.txt]: Returning a user field can
   be used to change the username. Typically used only for case changes (e.g.
   "UseR" -> "user").
    * username: Like user, but doesn't drop existing domain name (e.g.
      "username=foo" for "user@domain" gives "foo@domain").
    * domain: Updates the domain part of the username.
 * Other special <extra fields> [PasswordDatabase.ExtraFields.txt].

Databases that support looking up only passwords, but no user or extra fields:

 * <Passwd> [AuthDatabase.Passwd.txt]: System users (NSS, '/etc/passwd', or
   similiar).
 * <Shadow> [PasswordDatabase.Shadow.txt]: Shadow passwords for system users
   (NSS,'/etc/shadow' or similiar).
    * Dovecot supports reading all <password schemes>
      [Authentication.PasswordSchemes.txt] from passwd and shadow databases (if
      prefix is specified), but that is of course incompatible with all other
      tools using/modifying the passwords.
 * <VPopMail> [AuthDatabase.VPopMail.txt]: External software used to handle
   virtual domains.

Databases that support looking up everything:

 * <Passwd-file> [AuthDatabase.PasswdFile.txt]: '/etc/passwd'-like file in
   specified location.
 * <LDAP> [AuthDatabase.LDAP.txt]: Lightweight Directory Access Protocol.
 * <SQL> [AuthDatabase.SQL.txt]: SQL database (PostgreSQL, MySQL, SQLite).
 * <Static> [PasswordDatabase.Static.txt]: Static passdb for simple
   configurations

(This file was created from the wiki on 2011-11-16 14:09)