On Wed, 2011-06-01 at 11:25 +0200, Jahnke-Zumbusch, Dirk wrote:
For now my section for the passdb in the Director instance is
passdb { driver = static args = proxy=y nopassword=y }
So the backend will do the authentication of the session. But this setup inhibits using Kerberos, as the TGT is not forwarded to the backend server.
Right..
I would very much like to provide GSSAPI/Kerberos authentication, which already works fine with the backend servers being directly connected by mail clients. The backend servers are using the PAM driver.
I could not figure out, how to setup the passdb entry for the director instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving back the necessary "proxy=y" to make director proxying the IMAP session.
PAM doesn't enable clients to use GSSAPI/Kerberos authentication. The client would still be doing a plaintext user+password authentication. So I don't think using PAM+Kerberos on director is useful for anything.
For real Kerberos auth you'd need to use Dovecot's own GSSAPI authentication. But yeah, there's currently no way to return proxy=y from GSSAPI either, because it doesn't use any passdb..