.\"  <!-- $Id: authlib.sgml,v 1.2 2004/07/12 22:55:59 mrsam Exp $ -->
.\"  <!-- Copyright 1998 - 2001 Double Precision, Inc.  See COPYING for -->
.\"  <!-- distribution information. -->
.\" This manpage has been automatically generated by docbook2man 
.\" from a DocBook document.  This tool can be found at:
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> 
.\" Please send any bug reports, improvements, comments, patches, 
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "AUTHLIB" "7" "12 July 2004" "Double Precision, Inc." ""

.SH NAME
authlib \- Courier Authentication Library
.SH SYNOPSIS

\fBauthpam\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthpwd\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthshadow\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthuserdb\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthvchkpw\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthcram\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthmysql\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthpgsql\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthldap\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthdaemon\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthcustom\fR \fB\fIcommand\fB\fR [ \fB\fIarg\fB\fR\fI ...\fR ]


\fBauthdaemond\fR [ \fBstart\fR | \fBstop\fR | \fBrestart\fR ]

.SH "DESCRIPTION"
.PP
This library is used for two purposes:
.PP
1. Read an E-mail address that is supposed to be for a local account.
Determine the local account's home directory, and system userid and
groupid.
.PP
2. Read a login id and a password.
If valid, determine the account's home directory, system userid, and
groupid.
.PP
The term "authentication" is used in the following documentation to refer
to either one of these two functions.
The library contains several alternative authentication implementations,
that may be selected at runtime.
.TP
\fBauthdaemon\fR
authenticates through a background daemon proxy.
This is now the installation default.
Unless otherwise specified, the authdaemon
module will always be installed.
authdaemon is installed instead of the other
authentication modules.
Those modules are instead compiled into a separate executable program,
authdaemond that is initialized at system start, and runs
in the background.
The authdaemon authentication module forwards the
authentication requests to authdaemond, which forwards
the authentication request to the real authentication module, and the
result of the request is eventually returned back to the application.
Because the real authentication process runs as a persistent background
process, it is possible for the authentication process to open and hold
permanent connections to the back-end authentication database (be it an
LDAP directory, a MySQL or a PostgreSQL server), instead of connecting
and disconnecting for every request.
Obviously, this tremendously improves the authentication performance.
.TP
\fBauthpam\fR
authenticates using the system's PAM library
(pluggable authentication module).
This is, essentially, a way to use existing PAM modules for authentication
functionality.
Note, however, that the authenticated account's home directory, userid and
groupid are still read from the \fI/etc/passwd\fR file,
since PAM functionality is limited to validating account passwords.
.TP
\fBauthpwd\fR
authenticates from the
\fI/etc/passwd\fR file.
.TP
\fBauthshadow\fR
like authpwd except passwords
are read from \fI/etc/shadow\fR\&.
.TP
\fBauthuserdb\fR
authenticates against the
\fBuserdb\fR(8) database.
.TP
\fBauthvchkpw\fR
supports existing vpopmail/vchkpw
virtual domains.
.TP
\fBauthcram\fR
authenticates against the
\fBuserdb\fR(8) database using the
challenge/response authentication mechanism (CRAM), instead of the traditional
userid/password.
.TP
\fBauthmysql\fR
authenticates against a list of mail accounts
stored in an external MySQL database.
The \fI/usr/lib/courier-imap/etc/authmysqlrc\fR configuration file defines the
particular details regarding the MySQL database and the schema of the
mail account list table.
.TP
\fBauthpgsql\fR
authenticates against a list of mail accounts
stored in an external PostgreSQL database.
The \fIauthpgsqlrc\fR configuration file defines the
particular details regarding the PostgreSQL database and the schema of the
mail account list table.
.TP
\fBauthldap\fR
authenticates against a list of mail accounts
stored in an external LDAP directory.
The \fI\fR configuration file defines the
particular details regarding the LDAP directory layout.
.TP
\fBauthcustom\fR
this is a stub where custom authentication code
can be added.
This authentication module is just a stub that doesn't really do anything.
It's purpose is to serve as a placeholder where custom authentication code
can be easily added.
.PP
This is a complete list of available authentication modules.
The actual installed authentication modules are determined by the resources
on the server.
For example, the authmysql authentication module will
be installed only if the system provides MySQL support libraries.
.SS "AUTHDAEMON AUTHENTICATION MODULE"
.PP
The following command must be executed from the system startup script
in order for the authdaemon module to work (and remember
that authdaemon is installed by default:
.sp
.RS
.PP

.nf
/usr/lib/courier-imap/libexec/authlib/authdaemond start
.fi
.RE
.PP
"\fBauthdaemond stop\fR" should also be added to the system
shutdown script.
.PP
The \fI/usr/lib/courier-imap/var/authdaemon\fR subdirectory must be created in
advance.
This directory will have the filesystem socket used for
interprocess communication between
authdaemon and authdaemond\&.
It goes without saying that
the underlying filesystem for \fI/usr/lib/courier-imap/var/authdaemon\fR must support
filesystem domain sockets. This pretty much excludes all network filesystems,
so this directory should reside on a local disk.
.PP
\fI/usr/lib/courier-imap/var/authdaemon\fR
MUST NOT HAVE any world-readable, executable
or writable permissions!  Under NO circumstances should this be allowed to
happen.  The exact permissions and ownership of
\fI/usr/lib/courier-imap/var/authdaemon\fR varies.  For the standalone versions of
Courier-IMAP and
SqWebMail,
\fI/usr/lib/courier-imap/var/authdaemon\fR should be owned by root, and have no
group or
world permissions.
For the Courier mail server,
\fI/usr/lib/courier-imap/var/authdaemon\fR
should be owned by the userid that Courier is installed under, and it must be
readable and writable by the Courier user and group (but no world
permissions).
.SS "CONFIGURING AUTHDAEMOND"
.PP
The \fI/usr/lib/courier-imap/etc/authdaemonrc\fR configuration file sets several
operational parameters for the \fIauthdaemond\fR process. See
the comments in the
default file installed for more information. Currently,
\fI/usr/lib/courier-imap/etc/authdaemonrc\fR sets two parameters: number of daemon
processes,
and authentication modules/process that will be used.
.PP
Although \fIauthdaemond\fR might include several
authentication modules, not all of them may be used.
This makes it possible to install the same
\fBauthdaemond\fR build on multiple
systems with different authentication needs. The default module list specified
in \fI/usr/lib/courier-imap/etc/authdaemonrc\fR would be a list of all the available
authentication modules.
.PP
\fB/usr/lib/courier-imap/libexec/authlib/authdaemond\fR is actually a very short
shell script that executes the real \fBauthdaemond\fR program.
The available programs are \fBauthdaemond.plain\fR,
\fBauthdaemond.ldap\fR,
\fBauthdaemond.mysql\fR, and
\fBauthdaemond.pgsql\fR\&.
The "plain" program contains all the authentication modules except for
authldap,
authmysql, and
authpgsql\&.
The "ldap" program includes all the authentication modules in "plain",
plus authldap
Ditto for the "mysql" and "pgsql" processes.
.PP
This arrangement allows convenient creation of pre-configured binary
packages.
The \fBauthdaemond\fR shell script runs
\fBauthdaemond.plain\fR only if none of the other processes
are installed on the system.
First, it checks if 
\fBauthdaemond.ldap\fR,
\fBauthdaemond.mysql\fR, or
\fBauthdaemond.pgsql\fR is installed.
If not, \fBauthdaemond.plain\fR is brought up.
This makes it possible to prepare a basic binary package that provides
only basic authentication services and does not require either LDAP,
MySQL, or PostgreSQL runtime support on the server.
If either of these authentication requirements are needed, a separate
binary sub-package will load the appropriate \fBauthdaemond\fR
process.
.PP
Note that it is not possible to use both LDAP and MySQL, for example,
authentication at the same time.
That's because their support is in different
\fBauthdaemond\fR processes, and only one
\fBauthdaemond\fR process can run at the same time.
If both (or all three non-plain processes) are installed, the
\fBauthdaemond\fR script picks either the first one it finds,
or whatever is explicitly specified in the
\fI/usr/lib/courier-imap/etc/authdaemonrc\fR configuration file.
.PP
The number of \fBauthdaemond\fR processes is also set in this
configuration file.  The more processes that are started, the more
authentication requests can be handled.  If
\fBauthdaemon\fR does not
receive an answer within a moderate amount of time, it will declare an
authentication failure, and abort. Try increasing the number of processes if
you start seeing random authentication failures.  However, that should only be
used as a stop-gap measure.  If the default number of
\fBauthdaemond\fR
processes proves to be insufficient, it is far more likely that more resources
are needed for the server: more RAM, a faster disk, or a faster CPU, at least
in the humble opinion of the author. Increasing the number of processes should
only be used as a stop-gap measure, until a more thorough analysis on the
bottleneck can be made.
.sp
.RS
.PP

.nf
/usr/lib/courier-imap/libexec/authlib/authdaemond restart
.fi
.RE
.PP
Run the above command after making any changes to
\fI/usr/lib/courier-imap/etc/authdaemonrc\fR\&.
"\fBauthdaemond restart\fR"
is required for any changes to take effect.
.SH "AUTHENTICATION PROTOCOL"
.PP
The rest of this documentation describes the internal protocol used by
this authentication library.
It is only of interest to developers who wish to extend the authentication
library to support a custom authentication module,
or a derived extension to an existing module.
.PP
The original implementation of this authentication library used small,
self-contained, binary programs, named for their authentication module:
authldap,
authpam, and others.
Later, the authdaemon module came about, which wrapped
the other authentication modules into a separate background daemon
process, which communicated with the authdaemon module.
The authdaemon module is now always enabled by default,
but it is still possible to build and install each authentication module
as a self-contained binary program.
Note, however, that applications such as
\fBSqWebMail\fR,
and
\fBCourier\fR
link directly with all the authentication modules, and will not use external
modules for authentication.
.PP
authdaemon came about as a direct result of technical
issues that prevented \fBSqWebMail\fR and
\fBCourier\fR from using external binary modules.
authdaemond is really nothing more than
a simple application that
links directly with the authentication modules, and talks to the
authdaemon authentication module that follows this
authentication protocol.
.SS "STAND-ALONE AUTHENTICATION MODULES"
.PP
This section describes the authentication protocol for self-contained
authentication modules.
Although the default configuration no longer uses self-contained modules,
the stand-alone protocol serves as a foundation for the protocol used by
authentication modules as part of the authdaemond
authentication process, or when they are linked directly with the application
that uses this authentication library.
.PP
Here's the typical way that stand-alone authentication modules are used:
.PP
1. A list of authentication modules are read from a configuration file.
Multiple authentication modules could be available, but not all of them
are required in most situations.
.PP
2. The application executes the following command:
.sp
.RS
.PP

.nf
LOGIN AUTHMODULE1 AUTHMODULE2 ... APP
.fi
.RE
.PP
LOGIN is a full pathname to an application that reads
the authentication information, such as the userid and a password.
Arguments to LOGIN are full pathnames to each
authentication module (if there are more than one), followed by a full
pathname to the main application.
.PP
3. LOGIN reads the userid and password, then runs
the program specified by its first argument, which is the first
authentication module.
The remaining arguments are passed to the new process.
The mechanism by which the authentication information is passed to the
authentication module is described later.
.PP
4. Each authentication module reads the authentication information, and
determines if the previous authentication module succesfully processed
the authentication request.
If not, the module attempts to authenticate it itself.
In any event, the module runs the next program specified by its first
argument, and the remaining arguments are passed along to the next
program.
If any previous authentication module succesfully processed the
authentication request, the next program is run immediately without
any further processing.
.PP
5. Eventually, APP runs,
APP reads the authentication information and
determines whether any authentication module managed to succesfully
process the authentication request.
If so, APP runs normally.
Otherwise, APP runs LOGIN with its
original arguments in order to return an error message ("Password invalid",
or something similar) and read the next authentication request.
.PP
Daisy-chaining authentication modules, in this fashion, makes it possible
to have hybrid systems that use multiple authentication modules.
Example: using authpam to authenticate system accounts,
and authmysql to authentication virtual mailboxes without
a corresponding system account.
.PP
Here's a more detailed description of the overall process:
.SS "THE LOGIN PROCESS"
.PP
The LOGIN process checks if the AUTHARGC
environment variable is set.  If not, this is the first time the
LOGIN process comes up, and LOGIN
displays the initial login prompt.  Additionally, the command line arguments
to LOGIN are 
literal copied to the AUTHARGC
and AUTHARGVn environment variables.
That is: the number of command line arguments is saved in
AUTHARGC; the zeroth command line argument is saved in
AUTHARGV0; the remaining command line arguments are saved
in AUTHARGV1, AUTHARGV2,
and so on.
.PP
After obtaining the authentication information (such as the userid and
password), LOGIN creates a pipe, and arranges for the
output end of the pipe to be located on file descriptor #3.
The LOGIN process forks; the original process then
executes the first authentication module, in the manner described earlier;
the child process writes the authentication record to the pipe, then
terminates.
.PP
The authentication record is a chunk of data in the following
format:
.sp
.RS
.PP
\fISERVICE\fR<NEWLINE>\fIAUTHTYPE\fR<NEWLINE>\fIAUTHDATA\fR
.RE
.PP
Each occurence of <NEWLINE> represents an ASCII linefeed
character (#10).
"SERVICE" identifies the service that originates the
authentication request, such as "imap", or "webmail".
Authentication module may use this identifier, or ignore it.
.PP
"AUTHTYPE" identifies the format of the authentication
request.
Everything after the second <NEWLINE> is an opaque blob
of data, whose format is determined by AUTHTYPE\&.
.sp
.RS
.B "Note:"
There's a theoretical upper limit on the maximum size of the authentication
record. It is high enough not to matter in most situations
(the total number of characters allowed cannot be
more than 8189 characters on a typical GNU/Linux system).
.RE
.PP
The following AUTHTYPE formats are currently defined:
.TP
\fBlogin\fR
A typical userid/password authentication request. AUTHDATA contains the following data:
\fIuserid\fR<NEWLINE>\fIpassword\fR<NEWLINE>\&.
.TP
\fBcram-md5\fR
Specifies the CRAM-MD5
authentication request.
AUTHDATA contains the following data:
\fIchallenge\fR<NEWLINE>\fIresponse\fR<NEWLINE>\&.
The "challenge" and "response" strings are
base64-encoded.
.TP
\fBcram-sha1\fR
Specifies the CRAM-SHA1
authentication request, instead of CRAM-MD5, and uses the same format for
AUTHDATA\&.
.SS "THE AUTHENTICATION MODULE"
.PP
The first thing an authentication module does is check if the environment
variable AUTHENTICATED is set to a non-empty string.
If so, it means that a previous authentication module has handled the
authentication request, so this module simply runs the next program,
specified by the first argument to this authentication module.
.PP
Otherwise, the authentication module reads the authentication record from
file descriptor #3, and determines whether it wants to try this
authentication record.
If not, the module creates a new pipe, arranges the output of the pipe
to be on file descriptor #3, forks, the parent process runs the next
authentication module, and the child process writes the authentication
record to the pipe, then exits.
.PP
There are two ways to handle an authentication request:
1) Use the AUTHARGC and AUTHARGVn
variables to restart the entire authentication process - this is used
in the event it is determined that the authentication request must be
failed, or 2) run the next daisy-changed module, in the manner described
previously, when it is determined that another authentication module can
attempt to try to handle this request.
.PP
The following action occurs when
the authentication module succesfully validates an authentication request:
.PP
1. The authenticated login ID is saved in the AUTHENTICATED
environment variable.
.PP
2. The process's userid and groupid are reset to the corresponding
userid and groupid of the authenticated login id, and the current directory
is set to the process's defined home directory.
.PP
3. Some additional environment variables may also be initialized:
AUTHFULLNAME - the login ID's full name;
MAILDIR - the login ID's default maildir mailbox;
MAILDIRQUOTA - the requested maildir quota.
.SS "THE APPLICATION PROCESS"
.PP
Eventually, APP runs.
The process closes file descriptor #3 (if it's open, and ignores the error
if file descriptor #3 does not exist).
If the AUTHENTICATED environment variable is set,
it must mean that an authentication module was able to handle this
authentication request, so APP starts up and runs normally.
Otherwise the
original command is reconstructed from the
AUTHARGC and AUTHARGVn
variables, and the initial login process runs again.
.SS "LIBRARY FUNCTIONS"
.PP
This authentication library provides several convenient functions which
can be used to quickly create a compliant login process, and its
corresponding application.
The login process should be structured as follows:
.sp
.RS
.SS "A SAMPLE LOGIN PROCESS"

.nf
int main(int argc, char **argv)
{
   if (authmoduser(argc, argv, TIMEOUT, ERR_TIMEOUT))
   {
      /* Print initial greeting here */
   }
   else
   {
      /* Error: invalid userid/password */
   }

   /* read userid and password */

   authmod(argc-1, argv+1, SERVICE, AUTHTYPE, AUTHDATA);
}
.fi
.RE
.PP
The \fBauthmoduser\fR function takes care of copying
the command line parameters to their corresponding environment variables,
and checking whether or not this is the initial time this process runs,
or if it is running again after a failed authentication process.
TIMEOUT specifies the absolute login timeout,
\fBauthmoduser\fR quietly terminates the process if it
runs due to a failed authentication request and at least
TIMEOUT seconds have elapsed since the first time
\fBauthmoduser\fR was run.
ERR_TIMEOUT specifies the number of seconds that
\fBauthmoduser\fR will sleep after a failed
authentication request.
.PP
The SERVICE, AUTHTYPE, and
AUTHDATA arguments to \fBauthmod\fR
are null-terminated character strings that form the authentication request.
\fBauthmod\fR takes care of setting up the pipe to the
first authentication module, and runs it.
.PP
The application process is even simpler:
.sp
.RS
.SS "A SAMPLE APP PROCESS"

.nf
int main(int argc, char **argv)
{
const char *loginid=authmodclient();

   /* Application begins normally */

}
.fi
.RE
.PP
The \fBauthmodclient\fR function returns the authenticated
login ID.
If the authentication request failed, \fBauthmodclient\fR
reruns the original login process, and doesn't return.
.SS "INSIDE AN AUTHENTICATION MODULES"
.PP
An authentication module needs to define the following structure:
.sp
.RS
.SS "STRUCT AUTHSTATICINFO"

.nf
struct authstaticinfo {
        const char *auth_name;
        char * (*auth_func)(const char *, const char *, char *, int,
                        void (*)(struct authinfo *, void *),
                        void *);
        int (*auth_prefunc)(const char *, const char *,
                        int (*)(struct authinfo *, void *),
                        void *);
        void (*auth_cleanupfunc)();
        int (*auth_changepwd)(const char *, /* service */
                              const char *, /* userid */
                              const char *, /* oldpassword */
                              const char *); /* new password */
        } ;
.fi
.RE
.PP
\fBauth_func\fR points to a function that handles the
authentication request.
If succesful, \fBauth_func\fR is responsible for resetting
the userid and groupid, changing to the authentication account's home
directory, and setting up the necessary environment variables.
The first three arguments to \fBauth_func\fR will be
SERVICE, AUTHTYPE, and
AUTHDATA\&.
The next argument is a boolean flag which is non-zero if the authentication
code is being called in the context of a stand-alone authentication module,
or zero if the authentication code is called directly by an application.
The fifth argument points is a callback function pointer, which
may be NULL.
If it's not null, \fBauth_func\fR should not reset
the userid, groupid, or the home directory of this process, but
should instead initialize the authinfo
structure, which is defined as follows:
.sp
.RS
.SS "STRUCT AUTHINFO"

.nf
struct authinfo {
        const char *sysusername;
        const uid_t *sysuserid;
        gid_t sysgroupid;
        const char *homedir;

        const char *address;	/* The E-mail address */
        const char *fullname;	/* gecos, etc... */
        const char *maildir;
        const char *quota;

        const char *passwd;
        const char *clearpasswd;        /* For authldap */

        unsigned staticindex;   /* When statically-linked functions are
                                ** called, this holds the index of the
                                ** authentication module in authstaticlist */

        } ;
.fi
.RE
.PP
The
\fBpasswd\fR,
\fBclearpasswd\fR, and
\fBstaticindex\fR fields are not used by
\fBauth_func\fR\&.
Either \fBsysusername\fR or
\fBsysuserid\fR must be a non-NULL pointer.
\fBsysuserid\fR specifies an explicit userid,
otherwise \fBsysusername\fR is looked up in the
password file.
.PP
The last argument to \fBauth_func\fR is an opaque
pointer that gets passed as the second argument to the callback
function.
.PP
\fBauth_func\fR
should return a pointer to the authenticated loginid, in dynamic memory
(the memory should be \fBfree()\fRed after user.
A NULL return indicates an authentication failure.
The authentication module should set \fBerrno\fR to
EPERM in the event that it the next authentication module
should have a chance to process the authentication request, or use
any other \fBerrno\fR value to immediately fail the authentication
request, and rerun the original login process.
.SS "LINKED AUTHENTICATION MODULES"
.PP
The \fBauth_prefunc\fR,
\fBauth_cleanupfunc\fR,
and \fBauth_changepwd\fR functions are not used by
stand-alone modules, but when the authentication module is directly
linked with an application.
.PP
\fBauth_prefunc\fR verifies that the requested userid
exists.
No passwords are validated, the first two arguments to
\fBauth_prefunc\fR are the userid, and
SERVICE\&.
\fBauth_prefunc\fR should initialize an
authinfo structure, and run the
callback function, the third argument to
\fBauth_prefunc\fR\&.
The callback function receives the fourth argument to
\fBauth_prefunc\fR as an opaque pointer.
.PP
\fBauth_prefunc\fR should come back with the callback
function's return code, if the requested userid was found.
Otherwise,
\fBauth_prefunc\fR should return a non-zero integer.
A positive integer should be return in the event that this authentication
request should be stopped, and a negative itneger if another authentication
module can be tried.
An application that links against this authentication library will run
each configured authentication module's
\fBauth_prefunc\fR,
until some module is able to process the requested userid, or until
\fBauth_prefunc\fR comes back with a non-zero positive
return code.
.PP
\fBauth_func\fR or
\fBauth_prefunc\fR might allocate some internal resources,
which should be freed by calling
\fBauth_cleanupfunc\fR\&.
.PP
The \fBauth_changepwd\fR
function is called to implement the change password functionality.
.SS "OTHER AUTHENTICATION LIBRARY FUNCTION"
.PP
This authentication library contains several functions and macros that
can be helpful in building authentication modules.
.sp
.RS
.SS "TURNING AUTH_FUNC INTO A MODULE"

.nf
#define MODULE  auth_func
#include        "mod.h"
.fi
.RE
.PP
\fImod.h\fR contains template code that reads an authentication
request from the previous authentication module, call
\fBauth_func\fR, in such a manner, and appropriately
run the next module in the authentication chain.
.PP
The \fIauth.h\fR header file also declares several useful
functions that authentication-related code may find convenient.
.SS "BUILDING AUTHDAEMOND"
.PP
This authentication library builds alternate versions of the
\fBauthdaemond\fR background process.
Some authentication modules have dependencies on external libraries,
such as
authldap,
authmysql, and
authpgsql\&.
The authentication library prepares separate versions of
\fBauthdaemond\fR for each authentication module with a
dependency.
Each one of these \fBauthdaemond\fR versions will also include
all other authentication modules that do not have dependencies.
.PP
The authentication module configuration for each
\fBauthdaemond\fR
is set in the
\fIauthdaemond.versions\fR file.
A new authentication module will have to be added to
\fIauthdaemond.versions\fR (potentially creating another
\fBauthdaemond\fR build).
The \fIconfigure\fR script must be run after making any
changes to \fIauthdaemond.versions\fR\&.
.SH "FILES"
.PP
\fI /usr/lib/courier-imap/etc/authmodulelist\fR - list of authentication
modules read by applications that directly link with
\fIauthlib\fR
.PP
\fI /usr/lib/courier-imap/etc/authdaemonrc\fR - \fBauthdaemond\fR configuration file
.PP
\fI /usr/lib/courier-imap/etc/authldaprc\fR - \fBauthldap\fR configuration file
.PP
\fI /usr/lib/courier-imap/etc/authmysqlrc\fR - \fBauthmysql\fR configuration file
.PP
\fI /usr/lib/courier-imap/etc/authpgsqlrc\fR - \fBauthpgsql\fR configuration file
.SH "SEE ALSO"
.PP
\fBcourier\fR(8),
\fBuserdb\fR(8)