<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
If your dovecot is recent enough you can use mechanisms setting on passdb
block. See
doc.dovecot.org/configuration_manual/authentication/password_databases_passdb
<br>
</div>
<blockquote type="cite">
<div>
On 24/11/2019 17:17 Sam via dovecot <dovecot@dovecot.org> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div dir="ltr">
<div>
Hi,
</div>
<div>
<br>
</div>
<div>
I try to configure a proxy accepting GSSAPI and PLAIN authentication.
</div>
<div>
<br>
</div>
<div>
When authenticating with Kerberos, Dovecot uses master user and password to
authenticate to backends (backends can be Cyrus or Exchange servers too)
</div>
<div>
When authenticating with PLAIN passwords, Dovecot sends user's login
and password to the backend.
</div>
<div>
<br>
</div>
<div>
For GSSAPI, I use extrafields :
</div>
<div>
<span style="font-family:
monospace;">k5principals=principal@REALM proxy=Y pass=masterpassword
login_user=principal user=masteruser host=backend</span>
</div>
<div>
<br>
</div>
<div>
For PLAIN, I use a static driver :
</div>
<div>
<span style="font-family: monospace;">passdb {<br>
driver = static<br> args = proxy=y host=cyrus
password=%w<br>}</span>
</div>
<div>
<br>
</div>
<div>
I can authenticate fine with Kerberos tickets and login/password on the
backend.
<br>
</div>
<div>
<br>
</div>
<div>
Trouble is that if I authenticate with PLAIN login/password, with a user
known from the passdb lookup made for GSSAPI, I can authenticate with any
password, it is not checked. The passdb with masteruser and nopassword=y is
checked.
<br>
</div>
<div>
<br>
</div>
<div>
I can't restrict the passdb with the k5principals extrafield.
<br>
</div>
<div>
<br>
</div>
<div>
I tried static and ldap drivers, with the same wrong behaviour.
</div>
<div>
<span style="font-family: monospace;">pass_attrs =
\<br> =proxy=Y, \<br> =nopassword=Y, \<br>
=pass=masterpassword, \<br> =login_user=%{ldap:uid}, \<br>
=user=masteruser, \<br> =host=backend, \<br>
=k5principals=%{ldap:uid}@REALM</span>
</div>
<div>
With the ldap driver, I've got auth_bind = no
</div>
<div>
<br>
</div>
<div>
The user is found in the ldap, and Dovecot logs him with the
masterpassword.
</div>
<div>
<br>
</div>
<div>
If I don't configure an ldap passdb, but a userdb only, the proxy try
passdb that comes after for PLAIN logins.
<br>
</div>
<div>
<br>
</div>
<div>
With a passwd-file driver, the k5principals works fine. The user isn't
found if it authenticates with PLAIN.
<br>
</div>
<div>
<br>
</div>
<div>
My question is : is it possible to restrict a ldap or static passdb for
GSSAPI mechanism only ?
</div>
<div>
<br>
</div>
<div>
Thanks for your help,
</div>
<div>
Regards,
</div>
<div>
Sam
<br>
</div>
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>