Dear All,
Is it possible to make any authorization (eg. checking of group membership) in case of GSSAPI authentication?
Our dovecot authenticates the users against PAM and GSSAPI. In the PAM file I'm able to check if a user is a member of a selected (e.g mailreader) group. If the user is member, he can login otherwise not (see below). If the user has a valid Kerberos ticket and he tries to login via GSSAPI, I can't restrict him if he is not a member of the selected group.
How can I overcome this issue?
My config:
passdb { driver = pam # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] #args = dovecot }
userdb {
#
# Override fields from passwd #override_fields = home=/home/virtual/%u }
...in PAM file:
auth [success=1 default=ignore] pam_succeed_if.so user ingroup mailreader
auth [success=ignore default=2] pam_succeed_if.so user ingroup admins auth [success=ignore default=1] pam_succeed_if.so uid >= 1000 auth [success=3 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
auth [success=ignore default=1] pam_succeed_if.so uid < 1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Thank you.
Br, Ákos
Dear All,
We are having a very similar issue with dovecot 2.2.34 as Ákos. We want our users to authenticate via GSSAPI over Kerberos using their TGT.
Our setup is two distinct locations with their own dovecot's with access to these being handled via LDAP auth mechanism with filters to check for their group memberships, i.e. users from location A are in group A and users from location B are in Group B and thus access their locations respective dovecot.
After setting up GSSAPI authentication however we have noticed that a user can access dovecot at location A via his Kerberos ticket even though he is a member of Group B and not a member of Group A.
The question is, how to configure GSSAPI to not just athenticate users, but also authorize them through checking their group memberships.
Our config:
auth_gssapi_hostname = <our servers hostname> auth_krb5_keytab = <path to our dovecot keytab> auth_mechanisms = plain login gssapi
passdb { # contains passfilter for LDAP args = /<...>/dovecot-ldap-passdb.conf.ext driver = ldap }
userdb { # contains userfilter for LDAP args = /<...>/dovecot-ldap-userdb.conf.ext driver = ldap }
The filters look like these:
passfilter = (&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-pass-group,OU=example-ou,DC=example-domain,DC=net)) userfilter = (&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-user-group,OU=example-ou,DC=example-domain,DC=net))
Cheers
On 01.06.2018 13:55, Németh Ákos Ferenc wrote:
Dear All,
Is it possible to make any authorization (eg. checking of group membership) in case of GSSAPI authentication?
Our dovecot authenticates the users against PAM and GSSAPI. In the PAM file I'm able to check if a user is a member of a selected (e.g mailreader) group. If the user is member, he can login otherwise not (see below). If the user has a valid Kerberos ticket and he tries to login via GSSAPI, I can't restrict him if he is not a member of the selected group.
How can I overcome this issue?
My config:
passdb { driver = pam # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] #args = dovecot }
userdb { #
driver = passwd # [blocking=no] #args = # Override fields from passwd #override_fields = home=/home/virtual/%u }
...in PAM file:
auth [success=1 default=ignore] pam_succeed_if.so user ingroup mailreader
auth [success=ignore default=2] pam_succeed_if.so user ingroup admins auth [success=ignore default=1] pam_succeed_if.so uid >= 1000 auth [success=3 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
auth [success=ignore default=1] pam_succeed_if.so uid < 1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Thank you.
Br, Ákos
using successfully active/active replica. trying to add a proxy node in front. this proxy node should do the auth with the same ldap passdb settings as the replica in addition (later with kerberos). so i add to 10-auth.conf on the proxy:
default_fields = proxy=y host=imap.myserver.lan port=993
any idea why on the backend the user is empty in the logs?
on the proxy:
imap-login: Error: proxy(myuser): Login for imap.myserver.lan:993 timed out in state=/none (after 30 secs, local=myip:45834): user=<myuser>, method=PLAIN, rip=myip, lip=myip, TLS, session=<M1JtpiSPGNOsEQED> imap-login: Info: Aborted login (internal failure, 2 successful auths): user=<myuser>, method=PLAIN, rip=myip, lip=myip, TLS, session=<M1JtpiSPGNOsEQED>
on the backend:
imap-login: Error: proxy(myuser): Login for imap.myserver.lan:993 timed out in state=/none (after 30 secs, local=myip:47622): user=<myuser>, method=PLAIN, rip=myip, lip=myip, TLS, session=<gVxZhCSPftGsEQED> imap-login: Info: Disconnected (no auth attempts in 30 secs): user=<>, rip=myip, lip=imap.myserver.lan, TLS handshaking: SSL_accept() syscall failed: Success, session=<7XIkhiSPBrpfrWbS>
ok solved my problem by adding master user on backend and self-signed ssl certs on proxy instance:
default_fields = proxy=y host=imap.myserver.lan port=993 ssl=yes
master=masteruser pass=masterpass
participants (2)
-
Németh Ákos Ferenc
-
telsch