Hi,
I try to configure a proxy accepting GSSAPI and PLAIN authentication.
When authenticating with Kerberos, Dovecot uses master user and password to
authenticate to backends (backends can be Cyrus or Exchange servers too)
When authenticating with PLAIN passwords, Dovecot sends user's login and
password to the backend.
For GSSAPI, I use extrafields :
k5principals=principal at REALM proxy=Y pass=masterpassword
login_user=principal user=masteruser host=backend
For PLAIN, I use a static driver :
passdb {
driver = static
args = proxy=y host=cyrus password=%w
}
I can authenticate fine with Kerberos tickets and login/password on the
backend.
Trouble is that if I authenticate with PLAIN login/password, with a user
known from the passdb lookup made for GSSAPI, I can authenticate with any
password, it is not checked. The passdb with masteruser and nopassword=y is
checked.
I can't restrict the passdb with the k5principals extrafield.
I tried static and ldap drivers, with the same wrong behaviour.
pass_attrs = \
=proxy=Y, \
=nopassword=Y, \
=pass=masterpassword, \
=login_user=%{ldap:uid}, \
=user=masteruser, \
=host=backend, \
=k5principals=%{ldap:uid}@REALM
With the ldap driver, I've got auth_bind = no
The user is found in the ldap, and Dovecot logs him with the masterpassword.
If I don't configure an ldap passdb, but a userdb only, the proxy try
passdb that comes after for PLAIN logins.
With a passwd-file driver, the k5principals works fine. The user isn't
found if it authenticates with PLAIN.
My question is : is it possible to restrict a ldap or static passdb for
GSSAPI mechanism only ?
Thanks for your help,
Regards,
Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20191124/ad699fb0/attachment-0001.html>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
If your dovecot is recent enough you can use mechanisms setting on passdb
block. See
https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
<br>
</div>
<blockquote type="cite">
<div>
On 24/11/2019 17:17 Sam via dovecot <dovecot@dovecot.org> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div dir="ltr">
<div>
Hi,
</div>
<div>
<br>
</div>
<div>
I try to configure a proxy accepting GSSAPI and PLAIN authentication.
</div>
<div>
<br>
</div>
<div>
When authenticating with Kerberos, Dovecot uses master user and password to
authenticate to backends (backends can be Cyrus or Exchange servers too)
</div>
<div>
When authenticating with PLAIN passwords, Dovecot sends user's login
and password to the backend.
</div>
<div>
<br>
</div>
<div>
For GSSAPI, I use extrafields :
</div>
<div>
<span style="font-family:
monospace;">k5principals=principal@REALM proxy=Y pass=masterpassword
login_user=principal user=masteruser host=backend</span>
</div>
<div>
<br>
</div>
<div>
For PLAIN, I use a static driver :
</div>
<div>
<span style="font-family: monospace;">passdb {<br>
driver = static<br> args = proxy=y host=cyrus
password=%w<br>}</span>
</div>
<div>
<br>
</div>
<div>
I can authenticate fine with Kerberos tickets and login/password on the
backend.
<br>
</div>
<div>
<br>
</div>
<div>
Trouble is that if I authenticate with PLAIN login/password, with a user
known from the passdb lookup made for GSSAPI, I can authenticate with any
password, it is not checked. The passdb with masteruser and nopassword=y is
checked.
<br>
</div>
<div>
<br>
</div>
<div>
I can't restrict the passdb with the k5principals extrafield.
<br>
</div>
<div>
<br>
</div>
<div>
I tried static and ldap drivers, with the same wrong behaviour.
</div>
<div>
<span style="font-family: monospace;">pass_attrs =
\<br> =proxy=Y, \<br> =nopassword=Y, \<br>
=pass=masterpassword, \<br> =login_user=%{ldap:uid}, \<br>
=user=masteruser, \<br> =host=backend, \<br>
=k5principals=%{ldap:uid}@REALM</span>
</div>
<div>
With the ldap driver, I've got auth_bind = no
</div>
<div>
<br>
</div>
<div>
The user is found in the ldap, and Dovecot logs him with the
masterpassword.
</div>
<div>
<br>
</div>
<div>
If I don't configure an ldap passdb, but a userdb only, the proxy try
passdb that comes after for PLAIN logins.
<br>
</div>
<div>
<br>
</div>
<div>
With a passwd-file driver, the k5principals works fine. The user isn't
found if it authenticates with PLAIN.
<br>
</div>
<div>
<br>
</div>
<div>
My question is : is it possible to restrict a ldap or static passdb for
GSSAPI mechanism only ?
</div>
<div>
<br>
</div>
<div>
Thanks for your help,
</div>
<div>
Regards,
</div>
<div>
Sam
<br>
</div>
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
Thanks ! It did the trick ! We can do very different configurations with this new setting. Regards, Sam Le dim. 24 nov. 2019 ? 16:48, Aki Tuomi <aki.tuomi at open-xchange.com> a ?crit :> If your dovecot is recent enough you can use mechanisms setting on passdb > block. See > https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/ > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191130/585b3ee4/attachment.html>