Hi, I try to configure a proxy accepting GSSAPI and PLAIN authentication. When authenticating with Kerberos, Dovecot uses master user and password to authenticate to backends (backends can be Cyrus or Exchange servers too) When authenticating with PLAIN passwords, Dovecot sends user's login and password to the backend. For GSSAPI, I use extrafields : k5principals=principal at REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend For PLAIN, I use a static driver : passdb { driver = static args = proxy=y host=cyrus password=%w } I can authenticate fine with Kerberos tickets and login/password on the backend. Trouble is that if I authenticate with PLAIN login/password, with a user known from the passdb lookup made for GSSAPI, I can authenticate with any password, it is not checked. The passdb with masteruser and nopassword=y is checked. I can't restrict the passdb with the k5principals extrafield. I tried static and ldap drivers, with the same wrong behaviour. pass_attrs = \ =proxy=Y, \ =nopassword=Y, \ =pass=masterpassword, \ =login_user=%{ldap:uid}, \ =user=masteruser, \ =host=backend, \ =k5principals=%{ldap:uid}@REALM With the ldap driver, I've got auth_bind = no The user is found in the ldap, and Dovecot logs him with the masterpassword. If I don't configure an ldap passdb, but a userdb only, the proxy try passdb that comes after for PLAIN logins. With a passwd-file driver, the k5principals works fine. The user isn't found if it authenticates with PLAIN. My question is : is it possible to restrict a ldap or static passdb for GSSAPI mechanism only ? Thanks for your help, Regards, Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191124/ad699fb0/attachment-0001.html>
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> If your dovecot is recent enough you can use mechanisms setting on passdb block. See https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/ <br> </div> <blockquote type="cite"> <div> On 24/11/2019 17:17 Sam via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br> </div> <div dir="ltr"> <div> Hi, </div> <div> <br> </div> <div> I try to configure a proxy accepting GSSAPI and PLAIN authentication. </div> <div> <br> </div> <div> When authenticating with Kerberos, Dovecot uses master user and password to authenticate to backends (backends can be Cyrus or Exchange servers too) </div> <div> When authenticating with PLAIN passwords, Dovecot sends user's login and password to the backend. </div> <div> <br> </div> <div> For GSSAPI, I use extrafields : </div> <div> <span style="font-family: monospace;">k5principals=principal@REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend</span> </div> <div> <br> </div> <div> For PLAIN, I use a static driver : </div> <div> <span style="font-family: monospace;">passdb {<br> driver = static<br> args = proxy=y host=cyrus password=%w<br>}</span> </div> <div> <br> </div> <div> I can authenticate fine with Kerberos tickets and login/password on the backend. <br> </div> <div> <br> </div> <div> Trouble is that if I authenticate with PLAIN login/password, with a user known from the passdb lookup made for GSSAPI, I can authenticate with any password, it is not checked. The passdb with masteruser and nopassword=y is checked. <br> </div> <div> <br> </div> <div> I can't restrict the passdb with the k5principals extrafield. <br> </div> <div> <br> </div> <div> I tried static and ldap drivers, with the same wrong behaviour. </div> <div> <span style="font-family: monospace;">pass_attrs = \<br> =proxy=Y, \<br> =nopassword=Y, \<br> =pass=masterpassword, \<br> =login_user=%{ldap:uid}, \<br> =user=masteruser, \<br> =host=backend, \<br> =k5principals=%{ldap:uid}@REALM</span> </div> <div> With the ldap driver, I've got auth_bind = no </div> <div> <br> </div> <div> The user is found in the ldap, and Dovecot logs him with the masterpassword. </div> <div> <br> </div> <div> If I don't configure an ldap passdb, but a userdb only, the proxy try passdb that comes after for PLAIN logins. <br> </div> <div> <br> </div> <div> With a passwd-file driver, the k5principals works fine. The user isn't found if it authenticates with PLAIN. <br> </div> <div> <br> </div> <div> My question is : is it possible to restrict a ldap or static passdb for GSSAPI mechanism only ? </div> <div> <br> </div> <div> Thanks for your help, </div> <div> Regards, </div> <div> Sam <br> </div> </div> </blockquote> <div> <br> </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Thanks ! It did the trick ! We can do very different configurations with this new setting. Regards, Sam Le dim. 24 nov. 2019 ? 16:48, Aki Tuomi <aki.tuomi at open-xchange.com> a ?crit :> If your dovecot is recent enough you can use mechanisms setting on passdb > block. See > https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/ > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191130/585b3ee4/attachment.html>