Dovecot auth username mapping

Laz C. Peterson laz at paravis.net
Thu Jul 2 00:27:37 UTC 2015


It’s actually unbelievable how much slower LDAP auth is than PAM.  Does anyone have any suggestions how I can improve Dovecot LDAP auth?  I have tried caching authentications and that doesn’t help either.

~ Laz Peterson
Paravis, LLC
Ph: 951.319.3240 x201

> On Jul 1, 2015, at 4:41 PM, Laz C. Peterson <laz at paravis.net> wrote:
> 
> Thank you for the response Axel.  I will look into that.
> 
> I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow.  For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately.  When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing.
> 
> I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow!  This would definitely be an option though, as it does serve the purpose.  I just can’t figure out how to fix the performance issue.  Any thoughts to this?
> 
> ~ Laz Peterson
> Paravis, LLC
> Ph: 951.319.3240 x201
> 
>> On Jul 1, 2015, at 3:24 PM, Axel Luttgens <axel.luttgens at skynet.be> wrote:
>> 
>> 
>>> Le 1 juil. 2015 à 04:38, Laz C. Peterson
>> 
>>> a écrit :
>>> 
>>> I have an interesting case here …
>>> 
>>> Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM.  PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz at PARAVIS.LOCAL <mailto:laz at PARAVIS.LOCAL> and my email address would be laz at paravis.net <mailto:laz at paravis.net>.
>>> 
>>> All of this works just fine.  But what I want to do is allow the users to log in using their email address and not their full Kerberos name.  It is becoming laborious to help the users understand the difference between their username at LOCAL.REALM and username at email.address <mailto:username at email.address> and why we have to have two separate identities that mean the same thing.
>>> 
>>> I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either).  But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
>>> 
>>> I’m sure there has to be a way.  Any help will be greatly appreciated.  Thank you!
>> 
>> Hello Laz,
>> 
>> I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
>> 
>> Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
>> 
>> That said, I hope to be wrong,
>> Axel



More information about the dovecot mailing list