[Dovecot] LDAP and GSSAPI problems

Trever L. Adams trever.adams at gmail.com
Thu Feb 3 01:13:43 EET 2011


On 02/02/2011 02:38 PM, Timo Sirainen wrote:
> On Wed, 2011-02-02 at 14:29 -0700, Trever L. Adams wrote:
>> dn = smtp/mailhost.example.org at EXAMPLE.ORG
>> sasl_bind = yes
>> sasl_mech = GSSAPI
>> sasl_realm = EXAMPLE.ORG
>> sasl_authz_id = smtp/mailhost.example.org at EXAMPLE.ORG
> LDAP SASL authentication goes through Cyrus SASL library, nothing
> Dovecot can do about it, except for me to write my own LDAP library.
Ok. I can understand that.
>> Additionally, I have "auth_krb5_keytab = /etc/dovecot/krb5.keytab" setup
>> for the GSSAPI user login.
> So this setting is never used. If that's the problem, you could try if
> you can work around it in a bit kludgy way:
>
> service auth {
>   executable = /usr/local/bin/auth-wrapper.sh
> }
>
> Which contains:
>
> #!/bin/sh
> export KRB5_KTNAME=/etc/dovecot/krb5.keytab
> exec /usr/local/libexec/dovecot/auth -k
I thought I saw a patch on the mailing list in 2007 that set KRB5_KTNAME
if auth_krb5_keytab was set in the configuration. I guess it was either
ntlm specific or was not accepted.

Postfix (the other half of my solution -- though the version I am using
doesn't do SASL LDAP yet, but 2.9.x does) allows you, in the
configuration, to set what environment variables it should not unset and
even define new ones (an example -- import_environment =
KRB5_KTNAME=/etc/dovecot/krb5.keytab). This may be a good solution for
Dovecot specifically for things like this.

I would rather not have to run bash or any other shell just to set the
environment variable. I will for the time being.

Thank you, as always,
Trever
-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20110202/4b6705d1/attachment.bin 


More information about the dovecot mailing list