dovecot - Sep 2005 - An alternate "dovecot-auth" daemon using cyrus-sasl

We use dovecot in a heterogeneous environment (Windows/Linux desktops 
and Linux servers).  For unified authentication we use a sheaf 
"Samba/Openldap" (i.e., Samba NT domain with openldap backend and 
pam/nss_ldap for Linux).
  Windows users are authenticated well everywhere, but there is one old 
issue. As "SPA" (NTLM) against NT domain is not supported by dovecot,
it
is necessary to use default "plain" method. In addition to security 
problems, it does also a problem of password unification. Each time a 
user changes the password, he should do it one more time for the mail 
program.

  I know that dovecot supports NTLM, however against local database only 
(not for NT domain controller). In early versions support of cyrus-sasl 
(which supports NTLM now) had been incorporated, however it like not 
work and now is removed.
  Fortunately, there is a possibility to substitute dovecot-auth 
executable. Therefore I have tried to make an alternate variant of 
dovecot-auth, which supports all that we need.

  For us, it seems to be more useful to create an auth daemon using 
cyrus-sasl, rather than to add domain support to existing ntlm code. 
First of all, it is easier for implementation. Besides it enables use of 
all mechanisms supported by cyrus-sasl (present and future), including 
GSSAPI. Anyway, it will be the useful additive to dovecot.


  I have made appropriate patches for both dovecot-1.0-stable and 
dovecot-1.0.alpha1.
  The idea is to copy "src/auth" to "src/auth-cyrus", strip
all unneeded
from newly created directory and add cyrus-sasl support. The resulting 
code probably looks not so elegantly as if it has been written 
separately, however this way allows to not make a lot of things from the 
scratch.


  The patch against 1.0.alpha1 is 
here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
  To be more readable, it is not a flat patch (due to a lot of whole 
files add/remove). It is a tarball with 3 files: a list of files to 
initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and 
a script which automates this steps (:-)). (The script should be run in 
the root of the main source, i.e. a dir with src/ and doc/ subdirs).
 
 I already have successfully tested this patch with PLAIN method. 
However before testing of other methods, it would be desirable that 
somebody have looked at it.

  Whether someone could check up my patch (just fluently having read), 
at least for obvious bugs and typos?


        Dmitry Butskoy <Dmitry at Butskoy.name>
        Saint-Petersburg, Russia
        Red Hat Certified Engineer 809003662809495

On 248, 09 05, 2005 at 03:48:19PM +0400, buc wrote:
>  We use dovecot in a heterogeneous environment (Windows/Linux desktops 
> and Linux servers).  For unified authentication we use a sheaf 
> "Samba/Openldap" (i.e., Samba NT domain with openldap backend and
> pam/nss_ldap for Linux).
So why you can't use dovecot with openldap as passdb ?
>  Windows users are authenticated well everywhere, but there is one old 
> issue. As "SPA" (NTLM) against NT domain is not supported by
dovecot, it
> is necessary to use default "plain" method. In addition to
security
> problems, it does also a problem of password unification. Each time a 
> user changes the password, he should do it one more time for the mail 
> program.
> 
>  I know that dovecot supports NTLM, however against local database only 
> (not for NT domain controller). In early versions support of cyrus-sasl 
> (which supports NTLM now) had been incorporated, however it like not 
> work and now is removed.
>  Fortunately, there is a possibility to substitute dovecot-auth 
> executable. Therefore I have tried to make an alternate variant of 
> dovecot-auth, which supports all that we need.
> 
>  For us, it seems to be more useful to create an auth daemon using 
> cyrus-sasl, rather than to add domain support to existing ntlm code. 
> First of all, it is easier for implementation. Besides it enables use of 
> all mechanisms supported by cyrus-sasl (present and future), including 
> GSSAPI. Anyway, it will be the useful additive to dovecot.
Dovecot doesn't support cyrus-sasl for a good reason - it's a mess.
>  I have made appropriate patches for both dovecot-1.0-stable and 
> dovecot-1.0.alpha1.
>  The idea is to copy "src/auth" to "src/auth-cyrus",
strip all unneeded
> from newly created directory and add cyrus-sasl support. The resulting 
> code probably looks not so elegantly as if it has been written 
> separately, however this way allows to not make a lot of things from the 
> scratch.
> 
> 
>  The patch against 1.0.alpha1 is 
> here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
>  To be more readable, it is not a flat patch (due to a lot of whole 
> files add/remove). It is a tarball with 3 files: a list of files to 
> initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and 
> a script which automates this steps (:-)). (The script should be run in 
> the root of the main source, i.e. a dir with src/ and doc/ subdirs).
> 
> I already have successfully tested this patch with PLAIN method. 
> However before testing of other methods, it would be desirable that 
> somebody have looked at it.
> 
>  Whether someone could check up my patch (just fluently having read), 
> at least for obvious bugs and typos?
> 
> 
>        Dmitry Butskoy <Dmitry at Butskoy.name>
>        Saint-Petersburg, Russia
>        Red Hat Certified Engineer 809003662809495
> 
> 
> 
-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net

On 249, 09 06, 2005 at 01:35:58PM +0400, Dmitry Butskoy
wrote:
> Andrey Panin wrote:
> 
> >On 248, 09 05, 2005 at 03:48:19PM +0400, buc wrote:
> > 
> >
> >>We use dovecot in a heterogeneous environment (Windows/Linux
desktops
> >>and Linux servers).  For unified authentication we use a sheaf 
> >>"Samba/Openldap" (i.e., Samba NT domain with openldap
backend and
> >>pam/nss_ldap for Linux).
> >>   
> >>
> >So why you can't use dovecot with openldap as passdb ?
> >
> Yes, now we use dovecot with pam, which uses openldap by pam_ldap etc... 
> But PAM can handle plain passwords only, therefore it is not suitable 
> for NTLM.
>   I have not found it in examples, but may be dovecot`s ntlm can take 
> appropriate password hashes from openldap directly? 
> (sambaLMPassword/sambaNTPassword)
Yes, dovecot can handle LM/NTLM password hashes and it can fetch them
from OpenLDAP directly (look at doc/dovecot-ldap.conf)

In general you can store passwords in any supported form, just add proper
password scheme prefix. For example: {NTLM}69943C5E63B4D2C104DBBCC15138B72B
For more information read here: http://wiki.dovecot.org/Authentication
> >>Windows users are authenticated well everywhere, but there is one
old
> >>issue. As "SPA" (NTLM) against NT domain is not supported
by dovecot, it
> >>is necessary to use default "plain" method. In addition
to security
> >>problems, it does also a problem of password unification. Each time
a
> >>user changes the password, he should do it one more time for the
mail
> >>program.
> >>
> >>I know that dovecot supports NTLM, however against local database
only
> >>(not for NT domain controller). In early versions support of
cyrus-sasl
> >>(which supports NTLM now) had been incorporated, however it like
not
> >>work and now is removed.
> >>Fortunately, there is a possibility to substitute dovecot-auth 
> >>executable. Therefore I have tried to make an alternate variant of 
> >>dovecot-auth, which supports all that we need.
> >>
> >>For us, it seems to be more useful to create an auth daemon using 
> >>cyrus-sasl, rather than to add domain support to existing ntlm
code.
> >>First of all, it is easier for implementation. Besides it enables
use of
> >>all mechanisms supported by cyrus-sasl (present and future),
including
> >>GSSAPI. Anyway, it will be the useful additive to dovecot.
> >>   
> >>
> >
> >Dovecot doesn't support cyrus-sasl for a good reason - it's a
mess.
> > 
> >
> Certainly, I do not suggest to switch to use cyrus-sasl in upstream
dovecot.
> 
> But can give this patch the right to a life? Somewhere in "unofficial 
> patches"...
>
> >>I have made appropriate patches for both dovecot-1.0-stable and 
> >>dovecot-1.0.alpha1.
> >>The idea is to copy "src/auth" to
"src/auth-cyrus", strip all unneeded
> >>from newly created directory and add cyrus-sasl support. The
resulting
> >>code probably looks not so elegantly as if it has been written 
> >>separately, however this way allows to not make a lot of things
from the
> >>scratch.
> >>
> >>
> >>The patch against 1.0.alpha1 is 
> >>here:
http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
> >>To be more readable, it is not a flat patch (due to a lot of whole 
> >>files add/remove). It is a tarball with 3 files: a list of files to
> >>initial copy from auth/ to auth-cyrus/, a patch for resulting tree,
and
> >>a script which automates this steps (:-)). (The script should be
run in
> >>the root of the main source, i.e. a dir with src/ and doc/
subdirs).
> >>
> >>I already have successfully tested this patch with PLAIN method. 
> >>However before testing of other methods, it would be desirable that
> >>somebody have looked at it.
> >>
> >>Whether someone could check up my patch (just fluently having
read),
> >>at least for obvious bugs and typos?
> >>   
> >>
> 
>       Dmitry Butskoy <Dmitry at Butskoy.name>
>       Saint-Petersburg, Russia
>       Red Hat Certified Engineer 809003662809495
> 
> 
-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net

On Mon, 2005-09-05 at 15:48 +0400, buc wrote:
>   The patch against 1.0.alpha1 is 
> here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
>   To be more readable, it is not a flat patch (due to a lot of whole 
> files add/remove). It is a tarball with 3 files: a list of files to 
> initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and 
> a script which automates this steps (:-)). (The script should be run in 
> the root of the main source, i.e. a dir with src/ and doc/ subdirs).
>  
>  I already have successfully tested this patch with PLAIN method. 
> However before testing of other methods, it would be desirable that 
> somebody have looked at it.
> 
>   Whether someone could check up my patch (just fluently having read), 
> at least for obvious bugs and typos?
Didn't see anything obviously wrong there.

In general I wouldn't mind having a standalone cyrus-sasl auth daemon
that's compatible with dovecot-auth, but it'd have to be standalone
instead of being distributed with Dovecot itself.

A lot more code could be removed from dovecot-auth besides what you
already did. Probably better idea would be to just build a new one from
scratch..

Also one thing that could be a problem is that Cyrus SASL's calls are
blocking, so either you should be running many dovecot-cyrus-auth
processes (I'm not sure how well that works nowadays), or you could
change the code to use auth-worker processes where the Cyrus code is run
the way dovecot-auth now does with MySQL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20050911/d435d507/attachment.bin>