From 3d9db880fa0ad8fc3f35b07d1e694f82b1cc4ef4 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <tss@iki.fi>
Date: Sat, 6 Mar 2010 16:34:52 +0200
Subject: [PATCH] example-config: Moved passdbs and userdbs to separate
 auth-*.conf.ext files.

--HG--
branch : HEAD
---
 doc/example-config/conf.d/Makefile.am         |   8 +
 .../conf.d/auth-checkpassword.conf.ext        |  21 ++
 doc/example-config/conf.d/auth-deny.conf.ext  |  15 ++
 doc/example-config/conf.d/auth-ldap.conf.ext  |  22 ++
 .../conf.d/auth-master.conf.ext               |  16 ++
 .../conf.d/auth-passwdfile.conf.ext           |  14 ++
 doc/example-config/conf.d/auth-sql.conf.ext   |  22 ++
 .../conf.d/auth-system.conf.ext               |  71 +++++++
 .../conf.d/auth-vpopmail.conf.ext             |  15 ++
 doc/example-config/conf.d/auth.conf           | 190 +-----------------
 10 files changed, 213 insertions(+), 181 deletions(-)
 create mode 100644 doc/example-config/conf.d/auth-checkpassword.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-deny.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-ldap.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-master.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-passwdfile.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-sql.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-system.conf.ext
 create mode 100644 doc/example-config/conf.d/auth-vpopmail.conf.ext

diff --git a/doc/example-config/conf.d/Makefile.am b/doc/example-config/conf.d/Makefile.am
index 6b7a768507..7c5af864d7 100644
--- a/doc/example-config/conf.d/Makefile.am
+++ b/doc/example-config/conf.d/Makefile.am
@@ -3,6 +3,14 @@ pkgsysconfdir = $(sysconfdir)/dovecot
 exampledir = $(docdir)/example-config/conf.d
 example_DATA = \
 	auth.conf \
+	auth-checkpassword.conf.ext \
+	auth-deny.conf.ext \
+	auth-ldap.conf.ext \
+	auth-master.conf.ext \
+	auth-passwdfile.conf.ext \
+	auth-sql.conf.ext \
+	auth-system.conf.ext \
+	auth-vpopmail.conf.ext \
 	imap.conf \
 	lda.conf \
 	lmtp.conf \
diff --git a/doc/example-config/conf.d/auth-checkpassword.conf.ext b/doc/example-config/conf.d/auth-checkpassword.conf.ext
new file mode 100644
index 0000000000..02efae33ec
--- /dev/null
+++ b/doc/example-config/conf.d/auth-checkpassword.conf.ext
@@ -0,0 +1,21 @@
+# Authentication for checkpassword users. Included from auth.conf.
+#
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+
+passdb {
+  driver = checkpassword
+  args = /usr/bin/checkpassword
+}
+
+# passdb lookup should return also userdb info
+userdb {
+  driver = prefetch
+}
+
+# Standard checkpassword doesn't support direct userdb lookups.
+# If you need checkpassword userdb, the checkpassword must support
+# Dovecot-specific extensions.
+#userdb {
+#  driver = checkpassword
+#  args = /usr/bin/checkpassword
+#}
diff --git a/doc/example-config/conf.d/auth-deny.conf.ext b/doc/example-config/conf.d/auth-deny.conf.ext
new file mode 100644
index 0000000000..f2d897d1d1
--- /dev/null
+++ b/doc/example-config/conf.d/auth-deny.conf.ext
@@ -0,0 +1,15 @@
+# Deny access for users. Included from auth.conf.
+
+# Users can be (temporarily) disabled by adding a passdb with deny=yes.
+# If the user is found from that database, authentication will fail.
+# The deny passdb should always be specified before others, so it gets
+# checked first.
+
+# Example deny passdb using passwd-file. You can use any passdb though.
+passdb {
+  driver = passwd-file
+  deny = yes
+
+  # File contains a list of usernames, one per line
+  args = /etc/dovecot/deny-users
+}
diff --git a/doc/example-config/conf.d/auth-ldap.conf.ext b/doc/example-config/conf.d/auth-ldap.conf.ext
new file mode 100644
index 0000000000..a4f3334389
--- /dev/null
+++ b/doc/example-config/conf.d/auth-ldap.conf.ext
@@ -0,0 +1,22 @@
+# Authentication for LDAP users. Included from auth.conf.
+#
+# <doc/wiki/AuthDatabase.LDAP.txt>
+
+passdb {
+  driver = ldap
+
+  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
diff --git a/doc/example-config/conf.d/auth-master.conf.ext b/doc/example-config/conf.d/auth-master.conf.ext
new file mode 100644
index 0000000000..8e5107fd4f
--- /dev/null
+++ b/doc/example-config/conf.d/auth-master.conf.ext
@@ -0,0 +1,16 @@
+# Authentication for master users. Included from auth.conf.
+
+# By adding master=yes setting inside a passdb you make the passdb a list
+# of "master users", who can log in as anyone else.
+# <doc/wiki/Authentication.MasterUsers.txt>
+
+# Example master user passdb using passwd-file. You can use any passdb though.
+passdb {
+  driver = passwd-file
+  master = yes
+  args = /etc/dovecot/master-users
+
+  # Unless you're using PAM, you probably still want the destination user to
+  # be looked up from passdb that it really exists. pass=yes does that.
+  pass = yes
+}
diff --git a/doc/example-config/conf.d/auth-passwdfile.conf.ext b/doc/example-config/conf.d/auth-passwdfile.conf.ext
new file mode 100644
index 0000000000..3f57ceebdf
--- /dev/null
+++ b/doc/example-config/conf.d/auth-passwdfile.conf.ext
@@ -0,0 +1,14 @@
+# Authentication for passwd-file users. Included from auth.conf.
+#
+# passwd-like file with specified location.
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+
+passdb {
+  driver = passwd-file
+  args = scheme=CRYPT username_format=%u /etc/dovecot/users
+}
+
+userdb {
+  driver = passwd-file
+  args = username_format=%u /etc/dovecot/users
+}
diff --git a/doc/example-config/conf.d/auth-sql.conf.ext b/doc/example-config/conf.d/auth-sql.conf.ext
new file mode 100644
index 0000000000..9d69fb8e2f
--- /dev/null
+++ b/doc/example-config/conf.d/auth-sql.conf.ext
@@ -0,0 +1,22 @@
+# Authentication for SQL users. Included from auth.conf.
+#
+# <doc/wiki/AuthDatabase.SQL.txt>
+
+passdb {
+  driver = sql
+
+  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
diff --git a/doc/example-config/conf.d/auth-system.conf.ext b/doc/example-config/conf.d/auth-system.conf.ext
new file mode 100644
index 0000000000..2a23cef47d
--- /dev/null
+++ b/doc/example-config/conf.d/auth-system.conf.ext
@@ -0,0 +1,71 @@
+# Authentication for system users. Included from auth.conf.
+#
+# <doc/wiki/PasswordDatabase.txt>
+# <doc/wiki/UserDatabase.txt>
+
+# PAM authentication. Preferred nowadays by most systems.
+# PAM is typically used with either userdb passwd or userdb static.
+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
+passdb {
+  driver = pam
+  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
+  # [cache_key=<key>] [<service name>]
+  #args = dovecot
+}
+
+# System users (NSS, /etc/passwd, or similiar).
+# In many systems nowadays this uses Name Service Switch, which is
+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
+#passdb {
+  #driver = passwd
+  # [blocking=yes]
+  #args = 
+#}
+
+# Shadow passwords for system users (NSS, /etc/shadow or similiar).
+# Deprecated by PAM nowadays.
+# <doc/wiki/PasswordDatabase.Shadow.txt>
+#passdb {
+  #driver = shadow
+  # [blocking=yes]
+  #args = 
+#}
+
+# PAM-like authentication for OpenBSD.
+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
+#passdb {
+  #driver = bsdauth
+  # [cache_key=<key>]
+  #args =
+#}
+
+##
+## User databases
+##
+
+# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
+userdb {
+  # <doc/wiki/AuthDatabase.Passwd.txt>
+  driver = passwd
+  # [blocking=no]
+  #args = 
+}
+
+# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  # Can return anything a userdb could normally return. For example:
+  #
+  #  args = uid=500 gid=500 home=/var/mail/%u
+  #
+  # LDA and LMTP needs to look up users only from the userdb. This of course
+  # doesn't work with static userdb because there is no list of users.
+  # Normally static userdb handles this by doing a passdb lookup. This works
+  # with most passdbs, with PAM being the most notable exception. If you do
+  # the user verification another way, you can add allow_all_users=yes to
+  # the args in which case the passdb lookup is skipped.
+  #
+  #args =
+#}
diff --git a/doc/example-config/conf.d/auth-vpopmail.conf.ext b/doc/example-config/conf.d/auth-vpopmail.conf.ext
new file mode 100644
index 0000000000..71f1dcbf5e
--- /dev/null
+++ b/doc/example-config/conf.d/auth-vpopmail.conf.ext
@@ -0,0 +1,15 @@
+# Authentication for vpopmail users. Included from auth.conf.
+#
+# <doc/wiki/AuthDatabase.VPopMail.txt>
+
+passdb {
+  driver = vpopmail
+
+  # [cache_key=<key>]
+  # [quota_template=<template>] - %q expands to Maildir++ quota
+  args = quota_template=quota_rule=*:backend=%q
+}
+
+userdb {
+  driver = vpopmail
+}
diff --git a/doc/example-config/conf.d/auth.conf b/doc/example-config/conf.d/auth.conf
index 148e45fc1c..2b559f4c2d 100644
--- a/doc/example-config/conf.d/auth.conf
+++ b/doc/example-config/conf.d/auth.conf
@@ -91,7 +91,7 @@
 auth_mechanisms = plain
 
 ##
-## Password databases
+## Password and user databases
 ##
 
 #
@@ -101,188 +101,16 @@ auth_mechanisms = plain
 # duplicating the system users into virtual database.
 #
 # <doc/wiki/PasswordDatabase.txt>
-#
-# By adding master=yes setting inside a passdb you make the passdb a list
-# of "master users", who can log in as anyone else. Unless you're using PAM,
-# you probably still want the destination user to be looked up from passdb
-# that it really exists. This can be done by adding pass=yes setting to the
-# master passdb. <doc/wiki/Authentication.MasterUsers.txt>
-
-# Users can be temporarily disabled by adding a passdb with deny=yes.
-# If the user is found from that database, authentication will fail.
-# The deny passdb should always be specified before others, so it gets
-# checked first. Here's an example:
-
-#passdb {
-  #driver = passwd-file
-  # File contains a list of usernames, one per line
-  #args = /etc/dovecot.deny
-  #deny = yes
-#}
-
-passdb {
-  # PAM authentication. Preferred nowadays by most systems. 
-  # Note that PAM can only be used to verify if user's password is correct,
-  # so it can't be used as userdb. If you don't want to use a separate user
-  # database (passwd usually), you can use static userdb.
-  # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-  # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-  driver = pam
-  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
-  # [cache_key=<key>] [<service name>]
-  #
-  # session=yes makes Dovecot open and immediately close PAM session. Some
-  # PAM plugins need this to work, such as pam_mkhomedir.
-  #
-  # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
-  # need that. They aren't ever deleted though, so this isn't enabled by
-  # default.
-  #
-  # max_requests specifies how many PAM lookups to do in one process before
-  # recreating the process. The default is 100, because many PAM plugins
-  # leak memory.
-  #
-  # cache_key can be used to enable authentication caching for PAM
-  # (auth_cache_size also needs to be set). It isn't enabled by default
-  # because PAM modules can do all kinds of checks besides checking password,
-  # such as checking IP address. Dovecot can't know about these checks
-  # without some help. cache_key is simply a list of variables (see
-  # doc/wiki/Variables.txt) which must match for the cached data to be used.
-  # Here are some examples:
-  #   %u - Username must match. Probably sufficient for most uses.
-  #   %u%r - Username and remote IP address must match.
-  #   %u%s - Username and service (ie. IMAP, POP3) must match.
-  # 
-  # The service name can contain variables, for example %Ls expands to
-  # pop3 or imap.
-  #
-  # Some examples:
-  #   args = session=yes %Ls
-  #   args = cache_key=%u dovecot
-  #args = dovecot
-
-  # System users (NSS, /etc/passwd, or similiar)
-  # In many systems nowadays this uses Name Service Switch, which is
-  # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-  #driver = passwd
-  # [blocking=yes] - See userdb passwd for explanation
-  #args = 
-
-  # Shadow passwords for system users (NSS, /etc/shadow or similiar).
-  # Deprecated by PAM nowadays.
-  # <doc/wiki/PasswordDatabase.Shadow.txt>
-  #driver = shadow
-  # [blocking=yes] - See userdb passwd for explanation
-  #args = 
-
-  # PAM-like authentication for OpenBSD.
-  # <doc/wiki/PasswordDatabase.BSDAuth.txt>
-  #driver = bsdauth
-  # [cache_key=<key>] - See cache_key in PAM for explanation.
-  #args =
-
-  # passwd-like file with specified location
-  # <doc/wiki/AuthDatabase.PasswdFile.txt>
-  #driver = passwd-file
-  # [scheme=<default password scheme>] [username_format=<format>]
-  # <Path for passwd-file>
-  #args = 
-
-  # checkpassword executable authentication
-  # NOTE: You will probably want to use "userdb prefetch" with this.
-  # <doc/wiki/AuthDatabase.CheckPassword.txt>
-  #driver = checkpassword
-  # Path for checkpassword binary
-  #args = 
-
-  # SQL database <doc/wiki/AuthDatabase.SQL.txt>
-  #driver = sql
-  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
-  #args = 
-
-  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
-  #driver = ldap
-  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
-  #args = 
-
-  # vpopmail authentication <doc/wiki/AuthDatabase.VPopMail.txt>
-  #driver = vpopmail
-  # [cache_key=<key>] - See cache_key in PAM for explanation.
-  # [quota_template=<template>] - %q expands to Maildir++ quota
-  #   (eg. quota_template=quota_rule=*:backend=%q)
-  #args =
-}
-
-##
-## User databases
-##
-
 #
 # User database specifies where mails are located and what user/group IDs
-# own them. For single-UID configuration use "static".
+# own them. For single-UID configuration use "static" userdb.
 #
 # <doc/wiki/UserDatabase.txt>
-#
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# This can be made to work with SQL and LDAP databases, see their example
-# configuration files for more information how to do it.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-#userdb {
-  #driver = prefetch
-#}
-
-userdb {
-  # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
-  # uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-  # <doc/wiki/AuthDatabase.Passwd.txt>
-  driver = passwd
-  # [blocking=yes] - By default the lookups are done in the main dovecot-auth
-  # process. This setting causes the lookups to be done in auth worker
-  # proceses. Useful with remote NSS lookups that may block.
-  # NOTE: Be sure to use this setting with nss_ldap or users might get
-  # logged in as each others!
-  #args = 
-
-  # passwd-like file with specified location
-  # <doc/wiki/AuthDatabase.PasswdFile.txt>
-  #driver = passwd-file
-  # [username_format=<format>] <Path for passwd-file>
-  #args =
-
-  # checkpassword executable user database lookup
-  # <doc/wiki/AuthDatabase.CheckPassword.txt>
-  #driver = checkpassword
-  # Path for checkpassword binary
-  #args = 
-
-  # static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-  #driver = static
-  # Template for the fields. Can return anything a userdb could normally
-  # return. For example:
-  #
-  #  args = uid=500 gid=500 home=/var/mail/%u
-  #
-  # If you use deliver, it needs to look up users only from the userdb. This
-  # of course doesn't work with static because there is no list of users.
-  # Normally static userdb handles this by doing a passdb lookup. This works
-  # with most passdbs, with PAM being the most notable exception. If you do
-  # the user verification another way, you can add allow_all_users=yes to
-  # the args in which case the passdb lookup is skipped.
-  #
-  #args =
-
-  # SQL database <doc/wiki/AuthDatabase.SQL.txt>
-  #driver = sql
-  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
-  #args = 
-
-  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
-  #driver = ldap
-  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
-  #args = 
 
-  # vpopmail <doc/wiki/AuthDatabase.VPopMail.txt>
-  #driver = vpopmail
-}
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-vpopmail.conf.ext
-- 
2.47.3