Hi,

I try to configure a proxy accepting GSSAPI and PLAIN authentication.

When authenticating with Kerberos, Dovecot uses master user and password to authenticate to backends (backends can be Cyrus or Exchange servers too)

When authenticating with PLAIN passwords, Dovecot sends user's login and password to the backend.

For GSSAPI, I use extrafields :

k5principals=principal@REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend

For PLAIN, I use a static driver :

passdb {
driver = static
args = proxy=y host=cyrus password=%w
}

I can authenticate fine with Kerberos tickets and login/password on the backend.

Trouble is that if I authenticate with PLAIN login/password, with a user known from the passdb lookup made for GSSAPI, I can authenticate with any password, it is not checked. The passdb with masteruser and nopassword=y is checked.

I can't restrict the passdb with the k5principals extrafield.

I tried static and ldap drivers, with the same wrong behaviour.

pass_attrs = \
=proxy=Y, \
=nopassword=Y, \
=pass=masterpassword, \
=login_user=%{ldap:uid}, \
=user=masteruser, \
=host=backend, \
=k5principals=%{ldap:uid}@REALM

With the ldap driver, I've got auth_bind = no

The user is found in the ldap, and Dovecot logs him with the masterpassword.

If I don't configure an ldap passdb, but a userdb only, the proxy try passdb that comes after for PLAIN logins.

With a passwd-file driver, the k5principals works fine. The user isn't found if it authenticates with PLAIN.

My question is : is it possible to restrict a ldap or static passdb for GSSAPI mechanism only ?

Thanks for your help,

Regards,

Sam