Tomasz Lutelmowski
2009-Apr-06 12:35 UTC
[Dovecot] virtual domains with SQL auth + ntlm (winbind) auth for one of them...
Hello !
Is it possible to configure dovecot so it can use SQL authentication
for set of domains, and ntlm authentication for one domain? In other
words, I would like to authenticate all users (with user at domain.com as
login) in SQL server, and if not found, then strip @windomain.com from
login and fallback to pam->winbind authentication. So far i have in my
dovecot.conf:
auth_default_realm = windomain.com
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
passdb pam {
}
passdb passwd {
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb passwd {
}
userdb prefetch {
}
in pam.d/dovecot :
auth required pam_nologin.so
auth include system-auth-winbind
account include system-auth-winbind
session include system-auth-winbind
With this configuration I can authenticate all users for virtual
domains with logins user at domain.com - ok, then it fallbacks to pam -
ok,
but then it returns error (winbind uses only "user" or
"DOMAIN\user"
as login). After I set auth_username_format = %n I get opposite
situation - I can authenticate users with pam, but I can't with SQL
(it requires user at domain as login field). Unfortunately
auth_default_realm = windomain.com is a must have (and most of the
windows clients uses user at windomain.com as login anyway). Please help,
I'm banging my head against keyboard since 3 days but still no idea
how to do it.
Best regards,
Tomek
Timo Sirainen
2009-Apr-16 00:29 UTC
[Dovecot] virtual domains with SQL auth + ntlm (winbind) auth for one of them...
On Mon, 2009-04-06 at 14:35 +0200, Tomasz Lutelmowski wrote:> Hello ! > > Is it possible to configure dovecot so it can use SQL authentication > for set of domains, and ntlm authentication for one domain? In other > words, I would like to authenticate all users (with user at domain.com as > login) in SQL server, and if not found, then strip @windomain.com from > login and fallback to pam->winbind authentication.I don't think it's going to work in any easy way. Two ideas: a) Create a pam plugin that drops the @domain part (maybe there already exists one?) b) Switch to using passdb checkpassword and have your script do the SQL check, then call PAM with the @domain part dropped. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090415/42ff6b35/attachment-0002.bin>
Maybe Matching Threads
- Dovecot 2.3.8 - How to force index creation for user/mailbox?
- Samba trusts, mapping issue, and pam crap domain
- Dovecot 2.3.8 - How to force index creation for user/mailbox?
- Dovecot 2.3.8 - How to force index creation for user/mailbox?
- Domain trusts "forgetting" trusted users