doveadm-auth(1) - Flush/lookup/test authentication data
SYNOPSIS
doveadm [GLOBAL OPTIONS] auth command [OPTIONS] [ARGUMENTS]
DESCRIPTION
The doveadm auth COMMANDS can be used to perform various authentication related actions.
GLOBAL OPTIONS
Global doveadm(1) options:
- -D
Enables verbosity and debug messages.
- -O
Do not read any config file, just use defaults. The
dovecot_storage_versiondefaults to the latest version, but can be overridden with -o.- -k
Preserve entire environment for doveadm, not just
import_environment.- -v
Enables verbosity, including progress counter.
- -i instance-name
If using multiple Dovecot instances, choose the config file based on this instance name.
See
instance_namefor more information.- -c config-file
Read configuration from the given config-file. By default it first reads config socket, and then falls back to /etc/dovecot/dovecot.conf. You can also point this to config socket of some instance running compatible version.
- -o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
- -f formatter
Specifies the formatter for formatting the output. Supported formatters are:
- flow
- prints each line with key=value pairs.
- json
- prints a JSON array of JSON objects.
- pager
- prints each key: value pair on its own line and separates records with form feed character (^L).
- tab
- prints a table header followed by tab separated value lines.
- table
- prints a table header followed by adjusted value lines.
OPTIONS
- -x auth_info
auth_info specifies additional conditions for the user command. The auth_info option string has to be given as name = value pair. For multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
- service
- The service for which the userdb lookup should be tested. The value may be the name of a service, commonly used with Dovecot. For example: imap, pop3 or smtp.
- session
- Session identifier.
- lip
- The local IP address (server) for the test.
- rip
- The remote IP address (client) for the test.
- lport
- The local port, e.g. 143
- rport
- The remote port, e.g. 24567
- real_lip
- The local IP to which the client connected on this host.
- real_rip
- The remote IP where client connected from to this host.
- real_lport
- The local port to which client connected to to this host.
- real_rport
- The remote port from where the client connected from to this host.
- forward_<field>
- Field to forward as %{forward:field} to auth process.
ARGUMENTS
- user
- The user's login name. Depending on the configuration, the login name may be for example jane or john@example.com.
- password
- Optionally the user's password.
doveadm(1)will prompt for the password, if none was given.
COMMANDS
auth cache flush
doveadm [GLOBAL OPTIONS] auth cache flush [-a master_socket_path] [user-mask ...]
Flush the authentication cache. By default the cache is flushed for all the users. You can also flush the cache for one or more users by providing a user-mask matching their usernames.
- -a master_socket_path
This option is used to specify an absolute path to an alternative UNIX domain socket.
By default
doveadm(1)will use the socket /rundir/auth-master. The socket may be located in another directory, when the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.- -x auth_info
auth_info specifies additional conditions for the user command. The auth_info option string has to be given as name = value pair. For multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
- service
- The service for which the userdb lookup should be tested. The value may be the name of a service, commonly used with Dovecot. For example: imap, pop3 or smtp.
- session
- Session identifier.
- lip
- The local IP address (server) for the test.
- rip
- The remote IP address (client) for the test.
- lport
- The local port, e.g. 143
- rport
- The remote port, e.g. 24567
- real_lip
- The local IP to which the client connected on this host.
- real_rip
- The remote IP where client connected from to this host.
- real_lport
- The local port to which client connected to to this host.
- real_rport
- The remote port from where the client connected from to this host.
- forward_<field>
- Field to forward as %{forward:field} to auth process.
auth cache status
doveadm [GLOBAL OPTIONS] auth cache status [-a master_socket_path] [--reset]
Show authentication cache statistics: number of hits, misses, hit ratio, number of positive/negative cache entries and the positive/negative/used/max cache sizes. This information can be used for tuning the cache size and TTL.
- -a master_socket_path
This option is used to specify an absolute path to an alternative UNIX domain socket.
By default
doveadm(1)will use the socket /rundir/auth-master. The socket may be located in another directory, when the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.- --reset
Reset the hit/miss/insert counters after reading them.
auth lookup
doveadm [GLOBAL OPTIONS] auth lookup [-a userdb_socket_path] [-x auth_info] [-f field] user [...]
Similar to doveadm-user(1) command, except it performs a passdb lookup (without authentication) instead of a userdb lookup.
- -a userdb_socket_path
This option is used to specify an absolute path to an alternative UNIX domain socket.
By default
doveadm(1)will use the socket /rundir/auth-userdb. The socket may be located in another directory, when the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.- -f field
When this option and the name of a userdb field is given,
doveadm(1)will show only the value of the specified field.- -x auth_info
auth_info specifies additional conditions for the user command. The auth_info option string has to be given as name = value pair. For multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
- service
- The service for which the userdb lookup should be tested. The value may be the name of a service, commonly used with Dovecot. For example: imap, pop3 or smtp.
- session
- Session identifier.
- lip
- The local IP address (server) for the test.
- rip
- The remote IP address (client) for the test.
- lport
- The local port, e.g. 143
- rport
- The remote port, e.g. 24567
- real_lip
- The local IP to which the client connected on this host.
- real_rip
- The remote IP where client connected from to this host.
- real_lport
- The local port to which client connected to to this host.
- real_rport
- The remote port from where the client connected from to this host.
- forward_<field>
- Field to forward as %{forward:field} to auth process.
auth test
doveadm [GLOBAL OPTIONS] auth test [-a auth_socket_path] [-A sasl_mech] [-x auth_info] user [password]
Test authentication for the given user.
- -a auth_socket_path
This option is used to specify an absolute path to an alternative UNIX domain socket.
By default
doveadm(1)will use the socket /rundir/auth-client. The socket may be located in another directory, when the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.- -A sasl_mech
The SASL mechanism used for the authentication. By default PLAIN is used.
- -x auth_info
auth_info specifies additional conditions for the user command. The auth_info option string has to be given as name = value pair. For multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
- service
- The service for which the userdb lookup should be tested. The value may be the name of a service, commonly used with Dovecot. For example: imap, pop3 or smtp.
- session
- Session identifier.
- lip
- The local IP address (server) for the test.
- rip
- The remote IP address (client) for the test.
- lport
- The local port, e.g. 143
- rport
- The remote port, e.g. 24567
- real_lip
- The local IP to which the client connected on this host.
- real_rip
- The remote IP where client connected from to this host.
- real_lport
- The local port to which client connected to to this host.
- real_rport
- The remote port from where the client connected from to this host.
- forward_<field>
- Field to forward as %{forward:field} to auth process.
auth login
doveadm [GLOBAL OPTIONS] auth login [-a auth_socket_path] [-m auth_master_socket_path] [-A sasl_mech] [-x auth_info] user [password]
Test full login for the given user; i.e. performing both passdb lookup (authentication) and userdb lookup (login).
- -a auth_socket_path
This option is used to specify an absolute path to an alternative UNIX domain socket.
By default
doveadm(1)will use the socket /rundir/auth-client. The socket may be located in another directory, when the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.- -m auth_master_socket_path
This option is used to specify an absolute path to an alternative UNIX domain socket for the master socket.
By default
doveadm(1)will use the socket /rundir/auth-master. The socket may be located in another directory, when the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.- -A sasl_mech
The SASL mechanism used for the authentication. By default PLAIN is used.
- -x auth_info
auth_info specifies additional conditions for the user command. The auth_info option string has to be given as name = value pair. For multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:
- service
- The service for which the userdb lookup should be tested. The value may be the name of a service, commonly used with Dovecot. For example: imap, pop3 or smtp.
- session
- Session identifier.
- lip
- The local IP address (server) for the test.
- rip
- The remote IP address (client) for the test.
- lport
- The local port, e.g. 143
- rport
- The remote port, e.g. 24567
- real_lip
- The local IP to which the client connected on this host.
- real_rip
- The remote IP where client connected from to this host.
- real_lport
- The local port to which client connected to to this host.
- real_rport
- The remote port from where the client connected from to this host.
- forward_<field>
- Field to forward as %{forward:field} to auth process.
EXAMPLE
This example demonstrates an imap authentication test for user john, assuming the user is connected from the host with the IP address 192.0.2.143.
doveadm auth test -x service=imap -x rip=192.0.2.143 johnPassword:
passdb: john auth succeeded
extra fields:
user=johnREPORTING BUGS
Report bugs, including doveconf -n output, to the Dovecot Mailing List dovecot@dovecot.org. Information about reporting bugs is available at: https://dovecot.org/bugreport.html