--- a/src/auth/auth-master-connection.c	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/auth-master-connection.c	Sat Jul 09 20:11:45 2016 +0300
@@ -341,6 +341,7 @@
 	case PASSDB_RESULT_PASS_EXPIRED:
 		str_printfa(str, "NOTFOUND\t%u", auth_request->id);
 		break;
+	case PASSDB_RESULT_NEXT:
 	case PASSDB_RESULT_PASSWORD_MISMATCH:
 	case PASSDB_RESULT_INTERNAL_FAILURE:
 		str_printfa(str, "FAIL\t%u", auth_request->id);

--- a/src/auth/auth-request-handler.c	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/auth-request-handler.c	Sat Jul 09 20:11:45 2016 +0300
@@ -305,6 +305,7 @@
 	auth_str_append_extra_fields(request, str);
 
 	switch (request->passdb_result) {
+	case PASSDB_RESULT_NEXT:
 	case PASSDB_RESULT_INTERNAL_FAILURE:
 	case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
 	case PASSDB_RESULT_USER_UNKNOWN:

--- a/src/auth/auth-request.c	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/auth-request.c	Sat Jul 09 20:11:45 2016 +0300
@@ -485,6 +485,7 @@
 	case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
 		/* can be cached */
 		break;
+	case PASSDB_RESULT_NEXT:
 	case PASSDB_RESULT_USER_DISABLED:
 	case PASSDB_RESULT_PASS_EXPIRED:
 		/* FIXME: we can't cache this now, or cache lookup would
@@ -652,6 +653,11 @@
 	case PASSDB_RESULT_INTERNAL_FAILURE:
 		result_rule = request->passdb->result_internalfail;
 		break;
+	case PASSDB_RESULT_NEXT:
+		auth_request_log_debug(request, AUTH_SUBSYS_DB,
+			"Not performing authentication (noauthenticate set)");
+		result_rule = AUTH_DB_RULE_CONTINUE;
+		break;
 	case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
 	case PASSDB_RESULT_USER_UNKNOWN:
 	case PASSDB_RESULT_PASSWORD_MISMATCH:
@@ -692,6 +698,7 @@
 	/* nopassword check is specific to a single passdb and shouldn't leak
 	   to the next one. we already added it to cache. */
 	auth_fields_remove(request->extra_fields, "nopassword");
+	auth_fields_remove(request->extra_fields, "noauthenticate");
 
 	if (request->requested_login_user != NULL &&
 	    *result == PASSDB_RESULT_OK) {
@@ -706,7 +713,7 @@
 		auth_request_want_skip_passdb(request, next_passdb))
 		next_passdb = next_passdb->next;
 
-	if (*result == PASSDB_RESULT_OK) {
+	if (*result == PASSDB_RESULT_OK || *result == PASSDB_RESULT_NEXT) {
 		/* this passdb lookup succeeded, preserve its extra fields */
 		auth_fields_snapshot(request->extra_fields);
 		request->snapshot_have_userdb_prefetch_set =
@@ -777,6 +784,10 @@
 
 	auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE);
 
+	if (result == PASSDB_RESULT_OK &&
+	    auth_fields_exists(request->extra_fields, "noauthenticate"))
+		result = PASSDB_RESULT_NEXT;
+
 	if (result != PASSDB_RESULT_INTERNAL_FAILURE)
 		auth_request_save_cache(request, result);
 	else {
@@ -1009,6 +1020,10 @@
 
 	auth_request_set_state(request, AUTH_REQUEST_STATE_MECH_CONTINUE);
 
+	if (result == PASSDB_RESULT_OK &&
+	    auth_fields_exists(request->extra_fields, "noauthenticate"))
+		result = PASSDB_RESULT_NEXT;
+
 	if (result != PASSDB_RESULT_INTERNAL_FAILURE)
 		auth_request_save_cache(request, result);
 	else {
@@ -2254,7 +2269,8 @@
 		return 0;
 	}
 
-	if (auth_fields_exists(request->extra_fields, "nopassword")) {
+	if (auth_fields_exists(request->extra_fields, "nopassword") ||
+	    auth_fields_exists(request->extra_fields, "noauthenticate")) {
 		auth_request_log_debug(request, subsystem,
 					"Allowing any password");
 		return 1;

--- a/src/auth/auth-worker-client.c	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/auth-worker-client.c	Sat Jul 09 20:11:45 2016 +0300
@@ -152,7 +152,10 @@
 	str_printfa(str, "%u\t", request->id);
 
 	if (result == PASSDB_RESULT_OK)
-		str_append(str, "OK");
+		if (auth_fields_exists(request->extra_fields, "noauthenticate"))
+			str_append(str, "NEXT");
+		else
+			str_append(str, "OK");
 	else
 		str_printfa(str, "FAIL\t%d", result);
 	if (result != PASSDB_RESULT_INTERNAL_FAILURE) {
@@ -235,10 +238,13 @@
 	str = t_str_new(128);
 	str_printfa(str, "%u\t", request->id);
 
-	if (result != PASSDB_RESULT_OK)
+	if (result != PASSDB_RESULT_OK && result != PASSDB_RESULT_NEXT)
 		str_printfa(str, "FAIL\t%d", result);
 	else {
-		str_append(str, "OK\t");
+		if (result == PASSDB_RESULT_NEXT)
+			str_append(str, "NEXT\t");
+		else
+			str_append(str, "OK\t");
 		str_append_tabescaped(str, request->user);
 		str_append_c(str, '\t');
 		if (request->credentials_scheme[0] != '\0') {

--- a/src/auth/passdb-blocking.c	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/passdb-blocking.c	Sat Jul 09 20:11:45 2016 +0300
@@ -36,6 +36,13 @@
 		return PASSDB_RESULT_OK;
 	}
 
+	if (strcmp(*args, "NEXT") == 0 && args[1] != NULL) {
+		/* NEXT \t user [\t extra] */
+		auth_request_set_field(request, "user", args[1], NULL);
+		auth_worker_reply_parse_args(request, args + 1);
+		return PASSDB_RESULT_NEXT;
+	}
+
 	if (strcmp(*args, "FAIL") == 0 && args[1] != NULL) {
 		int result;
 		/* FAIL \t result [\t user \t password [\t extra]] */

--- a/src/auth/passdb-sql.c	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/passdb-sql.c	Sat Jul 09 20:11:45 2016 +0300
@@ -99,7 +99,8 @@
 			auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
 				"Password query returned multiple matches");
 		} else if (auth_request->passdb_password == NULL &&
-			   !auth_fields_exists(auth_request->extra_fields, "nopassword")) {
+			   !auth_fields_exists(auth_request->extra_fields, "nopassword") &&
+			   !auth_fields_exists(auth_request->extra_fields, "noauthenticate")) {
 			auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
 				"Empty password returned without nopassword");
 			passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;

--- a/src/auth/passdb.h	Mon Jul 11 11:55:34 2016 +0300
+++ b/src/auth/passdb.h	Sat Jul 09 20:11:45 2016 +0300
@@ -16,6 +16,7 @@
 	PASSDB_RESULT_USER_UNKNOWN = -3,
 	PASSDB_RESULT_USER_DISABLED = -4,
 	PASSDB_RESULT_PASS_EXPIRED = -5,
+	PASSDB_RESULT_NEXT = -6,
 
 	PASSDB_RESULT_PASSWORD_MISMATCH = 0,
 	PASSDB_RESULT_OK = 1