Authentication questions

Francis Augusto Medeiros-Logeay

9 May 2024 9 May '24

8:15 p.m.

Hi,

I was wondering:

1 - Is it possible to configure authentication methods per user? For example, oauth2 for most users, but plain for others? 2 - I had a feeling that when oauth2 authentication fails, dovecot tries to authenticate via plain with the received token. Doesn’t seem logical, but I get my user blocked on my directory server (freeipa) after a few failed oath authentications. If so, can this be prevented?

Best,

Francis

Show replies by date

Aki Tuomi

9 May 9 May

8:45 p.m.

On 09/05/2024 20:15 EEST Francis Augusto Medeiros-Logeay via dovecot dovecot@dovecot.org wrote: Hi, I was wondering: 1 - Is it possible to configure authentication methods per user? For example, oauth2 for most users, but plain for others? 2 - I had a feeling that when oauth2 authentication fails, dovecot tries to authenticate via plain with the received token. Doesn’t seem logical, but I get my user blocked on my directory server (freeipa) after a few failed oath authentications. If so, can this be prevented? Best, Francis _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Yep. See https://doc.dovecot.org/configuration_manual/authentication/ password_databases_passdb/#passdb-setting you can filter by mechanism. Aki

Francis Augusto Medeiros-Logeay

10:25 p.m.

...

On 9 May 2024, at 19:45, Aki Tuomi aki.tuomi@open-xchange.com wrote:

...
On 09/05/2024 20:15 EEST Francis Augusto Medeiros-Logeay via dovecot mailto:dovecot@dovecot.org> wrote:

Hi,

I was wondering:

1 - Is it possible to configure authentication methods per user? For example, oauth2 for most users, but plain for others? 2 - I had a feeling that when oauth2 authentication fails, dovecot tries to authenticate via plain with the received token. Doesn’t seem logical, but I get my user blocked on my directory server (freeipa) after a few failed oath authentications. If so, can this be prevented?

Best,

Francis

dovecot mailing list -- dovecot@dovecot.org mailto:dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org mailto:dovecot-leave@dovecot.org Yep. See https://doc.dovecot.org/configuration_manual/authentication/password_databas...

you can filter by mechanism.

Aki

Thanks, this is great!

Best, Francis

Francis Augusto Medeiros-Logeay

10:50 p.m.

...

On 9 May 2024, at 19:45, Aki Tuomi aki.tuomi@open-xchange.com wrote:

...
On 09/05/2024 20:15 EEST Francis Augusto Medeiros-Logeay via dovecot mailto:dovecot@dovecot.org> wrote:

Hi,

I was wondering:

1 - Is it possible to configure authentication methods per user? For example, oauth2 for most users, but plain for others? 2 - I had a feeling that when oauth2 authentication fails, dovecot tries to authenticate via plain with the received token. Doesn’t seem logical, but I get my user blocked on my directory server (freeipa) after a few failed oath authentications. If so, can this be prevented?

Best,

Francis

dovecot mailing list -- dovecot@dovecot.org mailto:dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org mailto:dovecot-leave@dovecot.org Yep. See https://doc.dovecot.org/configuration_manual/authentication/password_databas...

you can filter by mechanism.

Aki

The weird thing is that I get this still:

May 09 21:45:47 auth: Error: oauth2(myuser@mydomain.com,48.237.124.127): oauth2 failed: Introspection failed: No username returned May 09 21:45:47 auth: Error: ldap(myuser@mydomain.com,48.237.124.127): ldap_bind() failed: Constraint violation

Even when I have my configuration like this:

auth_mechanisms = $auth_mechanisms xoauth2 oauthbearer

passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/dovecot-oauth2.conf.ext result_failure=return-fail }

What could be the cause?

Best, Francis

Christopher Wensink

11:09 p.m.

This may help, see the post from 9/9/2021: https://github.com/goauthentik/authentik/issues/1234

On 5/9/2024 2:50 PM, Francis Augusto Medeiros-Logeay via dovecot wrote:

...

...
On 9 May 2024, at 19:45, Aki Tuomi aki.tuomi@open-xchange.com wrote:

...
On 09/05/2024 20:15 EEST Francis Augusto Medeiros-Logeay via dovecot mailto:dovecot@dovecot.org> wrote:

Hi,

I was wondering:

1 - Is it possible to configure authentication methods per user? For example, oauth2 for most users, but plain for others? 2 - I had a feeling that when oauth2 authentication fails, dovecot tries to authenticate via plain with the received token. Doesn’t seem logical, but I get my user blocked on my directory server (freeipa) after a few failed oath authentications. If so, can this be prevented?

Best,

Francis

dovecot mailing list -- dovecot@dovecot.org mailto:dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org mailto:dovecot-leave@dovecot.org Yep. See https://doc.dovecot.org/configuration_manual/authentication/password_databas...

you can filter by mechanism.

Aki The weird thing is that I get this still:

May 09 21:45:47 auth: Error: oauth2(myuser@mydomain.com,48.237.124.127): oauth2 failed: Introspection failed: No username returned May 09 21:45:47 auth: Error: ldap(myuser@mydomain.com,48.237.124.127): ldap_bind() failed: Constraint violation

Even when I have my configuration like this:

auth_mechanisms = $auth_mechanisms xoauth2 oauthbearer

passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/dovecot-oauth2.conf.ext result_failure=return-fail }

What could be the cause?

Best, Francis

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

-- Christopher Wensink IS Administrator Five Star Plastics, Inc 1339 Continental Drive Eau Claire, WI 54701 Office: 715-831-1682 Mobile: 715-563-3112 Fax: 715-831-6075 cwensink@five-star-plastics.com www.five-star-plastics.com

198

Age (days ago)

198

Last active (days ago)

List overview

4 comments

3 participants

participants (3)

Aki Tuomi
Christopher Wensink
Francis Augusto Medeiros-Logeay