Dear All,
We are having a very similar issue with dovecot 2.2.34 as Ákos. We want our users to authenticate via GSSAPI over Kerberos using their TGT.
Our setup is two distinct locations with their own dovecot's with access to these being handled via LDAP auth mechanism with filters to check for their group memberships, i.e. users from location A are in group A and users from location B are in Group B and thus access their locations respective dovecot.
After setting up GSSAPI authentication however we have noticed that a user can access dovecot at location A via his Kerberos ticket even though he is a member of Group B and not a member of Group A.
The question is, how to configure GSSAPI to not just athenticate users, but also authorize them through checking their group memberships.
Our config:
auth_gssapi_hostname = <our servers hostname> auth_krb5_keytab = <path to our dovecot keytab> auth_mechanisms = plain login gssapi
passdb { # contains passfilter for LDAP args = /<...>/dovecot-ldap-passdb.conf.ext driver = ldap }
userdb { # contains userfilter for LDAP args = /<...>/dovecot-ldap-userdb.conf.ext driver = ldap }
The filters look like these:
passfilter = (&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-pass-group,OU=example-ou,DC=example-domain,DC=net)) userfilter = (&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-user-group,OU=example-ou,DC=example-domain,DC=net))
Cheers
On 01.06.2018 13:55, Németh Ákos Ferenc wrote:
Dear All,
Is it possible to make any authorization (eg. checking of group membership) in case of GSSAPI authentication?
Our dovecot authenticates the users against PAM and GSSAPI. In the PAM file I'm able to check if a user is a member of a selected (e.g mailreader) group. If the user is member, he can login otherwise not (see below). If the user has a valid Kerberos ticket and he tries to login via GSSAPI, I can't restrict him if he is not a member of the selected group.
How can I overcome this issue?
My config:
passdb { driver = pam # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] #args = dovecot }
userdb { #
driver = passwd # [blocking=no] #args = # Override fields from passwd #override_fields = home=/home/virtual/%u }
...in PAM file:
auth [success=1 default=ignore] pam_succeed_if.so user ingroup mailreader
auth [success=ignore default=2] pam_succeed_if.so user ingroup admins auth [success=ignore default=1] pam_succeed_if.so uid >= 1000 auth [success=3 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
auth [success=ignore default=1] pam_succeed_if.so uid < 1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Thank you.
Br, Ákos