Custom Authentication Method
Hi guys, we're using Dovecot/Postfix here for our mail system. I'd like to
switch the passdb authentication on Dovecot from PAM over to a custom
implementation. We'd prefer to have some sort of script check the password
with an external IAM provider via HTTP. Is there any way we can accomplish
this?
The idea is to have Dovecot somehow call a script or send a username/password to some service, which checks the username/password against the identity provider and returns a "yes/no" back to Dovecot.
checkpassword seems like it may work but I see no documentation on its
API.
Matthew R, AD, FSEN, FSO, FSCR
Chief Director of Engineering & Chairman of the Board of Directors
Library of Code sp-us
matthew@staff.libraryofcode.org
On 01/03/2022 03:54 Matthew R matthew@staff.libraryofcode.org wrote:
Hi guys, we're using Dovecot/Postfix here for our mail system. I'd like to switch the
passdbauthentication on Dovecot from PAM over to a custom implementation. We'd prefer to have some sort of script check the password with an external IAM provider via HTTP. Is there any way we can accomplish this? The idea is to have Dovecot somehow call a script or send a username/password to some service, which checks the username/password against the identity provider and returns a “yes/no” back to Dovecot.
checkpasswordseems like it may work but I see no documentation on its API.Matthew R, AD, FSEN, FSO, FSCR Chief Director of Engineering & Chairman of the Board of Directors Library of Code sp-us matthew@staff.libraryofcode.org
Hi!
Your best choice is to use a Lua script, see https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...
Aki
On 01-03-2022 07:15, Aki Tuomi wrote:
On 01/03/2022 03:54 Matthew R matthew@staff.libraryofcode.org wrote:
Hi guys, we're using Dovecot/Postfix here for our mail system. I'd like to switch the
passdbauthentication on Dovecot from PAM over to a custom implementation. We'd prefer to have some sort of script check the password with an external IAM provider via HTTP. Is there any way we can accomplish this? The idea is to have Dovecot somehow call a script or send a username/password to some service, which checks the username/password against the identity provider and returns a “yes/no” back to Dovecot.
checkpasswordseems like it may work but I see no documentation on its API.Matthew R, AD, FSEN, FSO, FSCR Chief Director of Engineering & Chairman of the Board of Directors Library of Code sp-us matthew@staff.libraryofcode.org Hi!
Your best choice is to use a Lua script, see https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...
Aki
Another option would be to use the pam interface in Dovecot, to configure pam_script or pam_python and implement your authentication code in bash or python.
- Kees
participants (3)
-
Aki Tuomi
-
Kees van Vloten
-
Matthew R