On Sat, Mar 25, 2006 at 12:24:48PM +0200, Timo Sirainen wrote:
On Wed, 2006-03-15 at 16:32 +0100, Jelmer Vernooij wrote:
On Wed, Mar 15, 2006 at 04:23:05PM +0100, S. Thias wrote:
is there a possibility to map login-names to allowed Kerberos-Principals? At the moment GSSAPI-authentication seems to work only if loginname and kerberos-principal are the same, or am I missing something? I'm afraid that at the moment, that's not (yet) possible. I added now a pass=yes option to passdbs. This allows doing the conversion using eg.:
passdb passwd-file { args = /etc/imap.users pass = yes }
Where the imap.users file would contain entries like:
imapuser:::::::user=realuser
Or it could be done with SQL, LDAP or whatever.
Now if only the GSSAPI code could somehow be told to do these passdb lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not really sure.. That shouldn't be too hard to implement I guess (at the moment we simply require that the kerberos principal matches the username). What functions do I need to call to look up the mapping?
Cheers,
Jelmer
Jelmer Vernooij jelmer@samba.org - http://jelmer.vernstok.nl/