[Dovecot] Proxy and SSO (single sign-on)

Miguel Tormo mlists at edicom.eu
Wed Apr 4 14:18:00 EEST 2012


Hello,

I have a running setup with a dovecot imap4/pop3 proxy to a few dovecot backend servers which actually store the mailboxes. This is running smoothly and allows me to transparently distribute mailboxes.
I'm using some "extrafield" configured in the LDAP passdb.

However, now I would like to use GSSAPI (preferred) and NTLM for single sign-on. Both are pretty straightforward to configure in a single instance environment, but I don't know if they would work with proxy. For example, with GSSAPI there are two cases:
  1) Just use gssapi mechanism, without PAM. Then, it a user presents a ticket the passdb ldap is not used, so the extrafields are never read.
  2) Use gssapi and PAM (thus allowing using a kerberos password). But the extrafields feature isn't available with PAM passdb driver, so again the proxy won't work.

The case for NTLM would fall into the first case, I think. Am I right regarding this scenario? Is there a way I could make SSO and proxying work? I'm currently using dovecot 2.0.16 (had to patch it to increment LOGIN_MAX_INBUF_SIZE to 4096 for GSSAPI to work, as I read somewhere in this list), but I could upgrade to a newer version if that allows all this to work.

Thanks!


More information about the dovecot mailing list