Hi Laz,
I’m just wondering… why are you using LDAP and/or PAM to access the MySQL server? If also the password is stored in the db you could use MySQL directly?
Because then you could use password_query and user_query to actually split the provided email address into name and domain parts. Then you can lookup each individually or adjust as needed...
I have something like this:
user_query = SELECT CONCAT('/var/mail/virtual/', SUBSTRING(mail_addr
, LOCATE('@', mail_addr
) +1 ), '/',
SUBSTRING(mail_addr
, 1, LOCATE('@', mail_addr
) -1) ) AS 'home', '1000' AS 'uid',
'8' AS 'gid', CONCAT('*:bytes=', quota
, 'M') AS 'quota_rule' FROM mail_users
WHERE mail_addr
= '%u' AND status
= 'ok' AND mail_type
LIKE '%%_mail%%‘
With an SQL statement you could even use sub-selects and whatnot to do complicated things. Perhaps you could do something similar with the LDAP string but I never used LDAP that much…
Philon
Am 02.07.2015 um 02:27 schrieb Laz C. Peterson laz@paravis.net:
It’s actually unbelievable how much slower LDAP auth is than PAM. Does anyone have any suggestions how I can improve Dovecot LDAP auth? I have tried caching authentications and that doesn’t help either.
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 4:41 PM, Laz C. Peterson laz@paravis.net wrote:
Thank you for the response Axel. I will look into that.
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing.
I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this?
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttgens@skynet.be wrote:
Le 1 juil. 2015 à 04:38, Laz C. Peterson
a écrit :
I have an interesting case here …
Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be laz@paravis.net mailto:laz@paravis.net.
All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing.
I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
I’m sure there has to be a way. Any help will be greatly appreciated. Thank you!
Hello Laz,
I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
That said, I hope to be wrong, Axel