Tomasz Lutelmowski
2009-Apr-06 12:35 UTC
[Dovecot] virtual domains with SQL auth + ntlm (winbind) auth for one of them...
Hello ! Is it possible to configure dovecot so it can use SQL authentication for set of domains, and ntlm authentication for one domain? In other words, I would like to authenticate all users (with user at domain.com as login) in SQL server, and if not found, then strip @windomain.com from login and fallback to pam->winbind authentication. So far i have in my dovecot.conf: auth_default_realm = windomain.com mechanisms = plain passdb sql { args = /etc/dovecot/dovecot-sql.conf } passdb pam { } passdb passwd { } userdb sql { args = /etc/dovecot/dovecot-sql.conf } userdb passwd { } userdb prefetch { } in pam.d/dovecot : auth required pam_nologin.so auth include system-auth-winbind account include system-auth-winbind session include system-auth-winbind With this configuration I can authenticate all users for virtual domains with logins user at domain.com - ok, then it fallbacks to pam - ok, but then it returns error (winbind uses only "user" or "DOMAIN\user" as login). After I set auth_username_format = %n I get opposite situation - I can authenticate users with pam, but I can't with SQL (it requires user at domain as login field). Unfortunately auth_default_realm = windomain.com is a must have (and most of the windows clients uses user at windomain.com as login anyway). Please help, I'm banging my head against keyboard since 3 days but still no idea how to do it. Best regards, Tomek
Timo Sirainen
2009-Apr-16 00:29 UTC
[Dovecot] virtual domains with SQL auth + ntlm (winbind) auth for one of them...
On Mon, 2009-04-06 at 14:35 +0200, Tomasz Lutelmowski wrote:> Hello ! > > Is it possible to configure dovecot so it can use SQL authentication > for set of domains, and ntlm authentication for one domain? In other > words, I would like to authenticate all users (with user at domain.com as > login) in SQL server, and if not found, then strip @windomain.com from > login and fallback to pam->winbind authentication.I don't think it's going to work in any easy way. Two ideas: a) Create a pam plugin that drops the @domain part (maybe there already exists one?) b) Switch to using passdb checkpassword and have your script do the SQL check, then call PAM with the @domain part dropped. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090415/42ff6b35/attachment-0002.bin>
Reasonably Related Threads
- Dovecot 2.3.8 - How to force index creation for user/mailbox?
- Samba trusts, mapping issue, and pam crap domain
- Dovecot 2.3.8 - How to force index creation for user/mailbox?
- Dovecot 2.3.8 - How to force index creation for user/mailbox?
- Domain trusts "forgetting" trusted users