The attached patch makes it possible for Kerberos principals to be associated with a password database entry by adding a new "k5principals" passdb setting. A client that successfully authenticates using GSSAPI will be able to log in as any user who has been associated with the client's Kerberos principal. This means that users can now use their Kerberos identities to access virtual mail accounts. The patch definitely needs review by someone familiar with Dovecot. It works for me on a small test installation using the passwd-file backend. Things that should probably be improved: 1. The list of authorized principals is stored in struct auth_request. I would prefer to store it in struct gssapi_auth_request, but auth-request.c does not know about structs that are specific to the different authentication plugins. This could be fixed in a more general way by adding a new function to struct mech_module to allow authplugins to read fields during passdb lookups. 2. The gssapi authplugin now does a credential lookup in order to trigger parsing of the k5principals setting. In order for this to work, auth_request_set_username is now called before mech_gssapi_userok. AFAICT the only impact of this is that messages logged by this function (and the functions it calls) will now use the name of the virtual account. 3. The credentials lookup triggers an info log message saying that credentials for GSSAPI were requested, "but we have only (e.g.) MD5-CRYPT". The authplugin doesn't actually want the credential, but I think that the only way the authplugin can trigger a passdb lookup is by requesting it. 4. The final part of the code in mech_gssapi_unwrap was moved to the callback that's triggered when the credentials lookup is complete. The code still needs access to the GSSAPI data, so the buffer pointer & length are now stored in struct gssapi_auth_request, making the inbuf parameter to the mech_gssapi_{sec_context,wrap,unwrap} functions superfluous. The parameters should be removed. 5. The k5principals list won't be processed on Solaris. The code added to the end of mech_gssapi_krb5_userok would have to be moved to a separate function and then be called from the Solaris code. 6. GCC tells me about assignment to incompatible pointer types in the code that iterates through gssapi_k5principals. I must be missing something. The patch is licensed under the MIT license. Please let me know what you think. -- Sam Morris <sam at robots.org.uk> -------------- next part -------------- A non-text attachment was scrubbed... Name: k5principals_1.patch Type: text/x-patch Size: 6953 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20120305/ac715100/attachment-0004.bin>
Timo Sirainen
2012-Mar-05 18:52 UTC
[Dovecot] [PATCH] GSSAPI authorization and virtual users
On 5.3.2012, at 20.45, Sam Morris wrote:> 3. The credentials lookup triggers an info log message saying that > credentials for GSSAPI were requested, "but we have only (e.g.) > MD5-CRYPT". The authplugin doesn't actually want the credential, > but I think that the only way the authplugin can trigger a > passdb lookup is by requesting it.I'll look at the rest more closely later, but this should be an easy fix: request "" instead of "GSSAPI".
Apparently Analagous Threads
- Proxy GSSAPI + PLAIN authentication
- Proxy GSSAPI + PLAIN authentication
- auth debug log entry incorrect
- Lookup master userdb used with GSSAPI causes auth-worker to report "Error: BUG: PASSL had invalid passdb ID"
- Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]