Dear All,
Is it possible to make any authorization (eg. checking of group
membership) in case of GSSAPI authentication?
Our dovecot authenticates the users against PAM and GSSAPI. In the PAM
file I'm able to check if a user is a member of a selected (e.g
mailreader) group. If the user is member, he can login otherwise not
(see below). If the user has a valid Kerberos ticket and he tries to
login via GSSAPI, I can't restrict him if he is not a member of the
selected group.
How can I overcome this issue?
My config:
passdb {
? driver = pam
? # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
? # [cache_key=<key>] [<service name>]
? #args = dovecot
}
userdb {
? # <doc/wiki/AuthDatabase.Passwd.txt>
? driver = passwd
? # [blocking=no]
? #args
? # Override fields from passwd
? #override_fields = home=/home/virtual/%u
}
...in PAM file:
auth??? [success=1 default=ignore]????? pam_succeed_if.so user ingroup
mailreader
auth??? [success=ignore default=2]????? pam_succeed_if.so user ingroup
admins
auth??? [success=ignore default=1]????? pam_succeed_if.so uid >= 1000
auth??? [success=3 default=ignore]????? pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
auth??? [success=ignore default=1]????? pam_succeed_if.so uid < 1000
auth??? [success=1 default=ignore]????? pam_unix.so nullok_secure
try_first_pass
auth??? requisite?????????????????????? pam_deny.so
auth??? required??????????????????????? pam_permit.so
Thank you.
Br,
?kos
Dear All,
We are having a very similar issue with dovecot 2.2.34 as ?kos. We want
our users to authenticate via GSSAPI over Kerberos using their TGT.
Our setup is two distinct locations with their own dovecot's with access
to these being handled via LDAP auth mechanism with filters to check for
their group memberships, i.e. users from location A are in group A and
users from location B are in Group B and thus access their locations
respective dovecot.
After setting up GSSAPI authentication however we have noticed that a
user can access dovecot at location A via his Kerberos ticket even
though he is a member of Group B and not a member of Group A.
The question is, how to configure GSSAPI to not just athenticate users,
but also authorize them through checking their group memberships.
Our config:
auth_gssapi_hostname = <our servers hostname>
auth_krb5_keytab = <path to our dovecot keytab>
auth_mechanisms = plain login gssapi
passdb {
# contains passfilter for LDAP
args = /<...>/dovecot-ldap-passdb.conf.ext
driver = ldap
}
userdb {
# contains userfilter for LDAP
args = /<...>/dovecot-ldap-userdb.conf.ext
driver = ldap
}
The filters look like these:
passfilter =
(&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-pass-group,OU=example-ou,DC=example-domain,DC=net))
userfilter =
(&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-user-group,OU=example-ou,DC=example-domain,DC=net))
Cheers
On 01.06.2018 13:55, N?meth ?kos Ferenc wrote:> Dear All,
>
>
> Is it possible to make any authorization (eg. checking of group
> membership) in case of GSSAPI authentication?
>
>
> Our dovecot authenticates the users against PAM and GSSAPI. In the PAM
> file I'm able to check if a user is a member of a selected (e.g
> mailreader) group. If the user is member, he can login otherwise not
> (see below). If the user has a valid Kerberos ticket and he tries to
> login via GSSAPI, I can't restrict him if he is not a member of the
> selected group.
>
>
> How can I overcome this issue?
>
>
> My config:
>
> passdb {
> ? driver = pam
> ? # [session=yes] [setcred=yes] [failure_show_msg=yes]
[max_requests=<n>]
> ? # [cache_key=<key>] [<service name>]
> ? #args = dovecot
> }
>
> userdb {
> ? # <doc/wiki/AuthDatabase.Passwd.txt>
> ? driver = passwd
> ? # [blocking=no]
> ? #args >
> ? # Override fields from passwd
> ? #override_fields = home=/home/virtual/%u
> }
>
>
> ...in PAM file:
>
> auth??? [success=1 default=ignore]????? pam_succeed_if.so user ingroup
> mailreader
>
> auth??? [success=ignore default=2]????? pam_succeed_if.so user ingroup
> admins
> auth??? [success=ignore default=1]????? pam_succeed_if.so uid >= 1000
> auth??? [success=3 default=ignore]????? pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login
>
> auth??? [success=ignore default=1]????? pam_succeed_if.so uid < 1000
> auth??? [success=1 default=ignore]????? pam_unix.so nullok_secure
> try_first_pass
>
> auth??? requisite?????????????????????? pam_deny.so
>
> auth??? required??????????????????????? pam_permit.so
>
>
> Thank you.
>
>
> Br,
> ?kos
>
using successfully active/active replica. trying to add a proxy node in front. this proxy node should do the auth with the same ldap passdb settings as the replica in addition (later with kerberos). so i add to 10-auth.conf on the proxy: default_fields = proxy=y host=imap.myserver.lan port=993 any idea why on the backend the user is empty in the logs? on the proxy: imap-login: Error: proxy(myuser): Login for imap.myserver.lan:993 timed out in state=/none (after 30 secs, local=myip:45834): user=<myuser>, method=PLAIN, rip=myip, lip=myip, TLS, session=<M1JtpiSPGNOsEQED> imap-login: Info: Aborted login (internal failure, 2 successful auths): user=<myuser>, method=PLAIN, rip=myip, lip=myip, TLS, session=<M1JtpiSPGNOsEQED> on the backend: imap-login: Error: proxy(myuser): Login for imap.myserver.lan:993 timed out in state=/none (after 30 secs, local=myip:47622): user=<myuser>, method=PLAIN, rip=myip, lip=myip, TLS, session=<gVxZhCSPftGsEQED> imap-login: Info: Disconnected (no auth attempts in 30 secs): user=<>, rip=myip, lip=imap.myserver.lan, TLS handshaking: SSL_accept() syscall failed: Success, session=<7XIkhiSPBrpfrWbS>