On 27.11.2012, at 9.37, Nikita Koshikov wrote:
>>> Here is the problem:
>>> I have few:
>>> passdb {
>>> #1
>>> }
>>> passdb {
>>> #2
>>> }
>>> And relative userdb sections. If user not found in 1) section it
>> fallbacks
>>> to next one - it's expected and right, IMHO. But when the user exists in
>>> both section and password verification fails on 1) database it
>> successfully
>>> authenticated on next one. I think this behaviour should be configured.
>> The
>>> main goal of 1) section for this server is to overwrite users in main
>>> (section2) database.
>>
> Thank's for the anwer. It's a pity to hear, because it's security feature I
> need to provide. The problem - that main passdb - is ldap and there are
> about - 5-7 people who can edit it and simply to login as different users.
> Yes, activity is logged - but mailbox can be read\stolen. The main goal for
> passwd-file database is to revrite ldap very critical mailboxes to local
> file. It can be edited only but 1 person - it is nativly to trust 1, but
> not to 7.
Try if a modified version of Alessio's suggestion works:
passdb {
driver = passwd-file
args = /etc/passwd.important
}
passdb {
driver = passwd-file
args = /etc/passwd.important
deny = yes
}
passdb {
driver = ldap
}
