dovecotlist at encambio.com
2009-Nov-02 13:22 UTC
[Dovecot] X.509 certificate based IMAP login
Hello list,
The dovecot version is 1.2.6 running on Solaris x86 11 (nv-b91).
The relevant configuration lines are:
passdb ldap { # LDAP database (doc/wiki/AuthDatabase.LDAP.txt.)
args = /pfx/etc/dovecot/dovecot-ldap.conf
}
The file dovecot-ldap.conf is correct and LDAP authentication is
working well.
We would like to make it possible for users with a X.509 client
certificate to log in without providing LDAP or any other
credentials. Is there something like:
passdb x509 {
args = /pfx/etc/dovecot/dovecot-caroots.pem
nopwd = yes
}
...avaibable, or is there another solution?
Thanks,
Brian
On Mon, 2009-11-02 at 14:22 +0100, dovecotlist at encambio.com wrote:> We would like to make it possible for users with a X.509 client > certificate to log in without providing LDAP or any other > credentials.Well.. These get you a bit further: ssl_ca_file = /pfx/etc/dovecot/dovecot-caroots.pem ssl_verify_client_cert = yes auth_ssl_username_from_cert = yes but to disable password check the passdb also needs to check if %k variable's value is "valid". With SQL this would be easy. With LDAP, I guess it doesn't really work now. Unless you used e.g. checkpassword script to do both checks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20091103/66977bab/attachment-0002.bin>
dovecotlist at encambio.com
2009-Nov-03 18:59 UTC
[Dovecot] X.509 certificate based IMAP login
Hello Timo, On Tues., Nov 03, 2009, Timo SIRAINEN wrote:>On Mon, 2009-11-02 at 14:22 +0100, dovecotlist at encambio.com wrote: >> We would like to make it possible for users with a X.509 client >> certificate to log in without providing LDAP or any other >> credentials. > >Well.. These get you a bit further: > >ssl_ca_file = /pfx/etc/dovecot/dovecot-caroots.pem >ssl_verify_client_cert = yes >auth_ssl_username_from_cert = yes >We've got that as well as: ssl_cert_username_field = emailAddress>but to disable password check the passdb also needs to check if %k >variable's value is "valid". With SQL this would be easy. With LDAP, I >guess it doesn't really work now. Unless you used e.g. checkpassword >script to do both checks. >Thanks Timo, I'll check out the checkpassword script feature which I think is new to Dovecot since a few months. We're not using SQL at atll, so hopefully it will work with LDAP and checkpassword. Regards, Brian