Dovecot auth username mapping
I have an interesting case here …
Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be laz@paravis.net mailto:laz@paravis.net.
All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing.
I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
I’m sure there has to be a way. Any help will be greatly appreciated. Thank you!
~ Laz Peterson Paravis, LLC
Le 1 juil. 2015 à 04:38, Laz C. Peterson
a écrit :
I have an interesting case here …
Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be laz@paravis.net mailto:laz@paravis.net.
All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing.
I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
I’m sure there has to be a way. Any help will be greatly appreciated. Thank you!
Hello Laz,
I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
That said, I hope to be wrong, Axel
Thank you for the response Axel. I will look into that.
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing.
I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this?
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttgens@skynet.be wrote:
Le 1 juil. 2015 à 04:38, Laz C. Peterson
a écrit :
I have an interesting case here …
Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be laz@paravis.net mailto:laz@paravis.net.
All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing.
I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
I’m sure there has to be a way. Any help will be greatly appreciated. Thank you!
Hello Laz,
I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
That said, I hope to be wrong, Axel
It’s actually unbelievable how much slower LDAP auth is than PAM. Does anyone have any suggestions how I can improve Dovecot LDAP auth? I have tried caching authentications and that doesn’t help either.
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 4:41 PM, Laz C. Peterson laz@paravis.net wrote:
Thank you for the response Axel. I will look into that.
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing.
I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this?
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttgens@skynet.be wrote:
Le 1 juil. 2015 à 04:38, Laz C. Peterson
a écrit :
I have an interesting case here …
Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be laz@paravis.net mailto:laz@paravis.net.
All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing.
I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
I’m sure there has to be a way. Any help will be greatly appreciated. Thank you!
Hello Laz,
I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
That said, I hope to be wrong, Axel
Hi Laz,
I’m just wondering… why are you using LDAP and/or PAM to access the MySQL server? If also the password is stored in the db you could use MySQL directly?
Because then you could use password_query and user_query to actually split the provided email address into name and domain parts. Then you can lookup each individually or adjust as needed...
I have something like this:
user_query = SELECT CONCAT('/var/mail/virtual/', SUBSTRING(mail_addr, LOCATE('@', mail_addr) +1 ), '/',
SUBSTRING(mail_addr, 1, LOCATE('@', mail_addr) -1) ) AS 'home', '1000' AS 'uid',
'8' AS 'gid', CONCAT('*:bytes=', quota, 'M') AS 'quota_rule' FROM mail_users
WHERE mail_addr = '%u' AND status = 'ok' AND mail_type LIKE '%%_mail%%‘
With an SQL statement you could even use sub-selects and whatnot to do complicated things. Perhaps you could do something similar with the LDAP string but I never used LDAP that much…
Philon
Am 02.07.2015 um 02:27 schrieb Laz C. Peterson laz@paravis.net:
It’s actually unbelievable how much slower LDAP auth is than PAM. Does anyone have any suggestions how I can improve Dovecot LDAP auth? I have tried caching authentications and that doesn’t help either.
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 4:41 PM, Laz C. Peterson laz@paravis.net wrote:
Thank you for the response Axel. I will look into that.
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing.
I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this?
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttgens@skynet.be wrote:
Le 1 juil. 2015 à 04:38, Laz C. Peterson
a écrit :
I have an interesting case here …
Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be laz@paravis.net mailto:laz@paravis.net.
All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing.
I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
I’m sure there has to be a way. Any help will be greatly appreciated. Thank you!
Hello Laz,
I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
That said, I hope to be wrong, Axel
Am 2015-07-02 um 01:41 schrieb Laz C. Peterson:
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. Any thoughts to this?
In case you have multiple passdb backends, it could be, that LDAP only gets its chance, after PAM did time out.
-- peter
Peter,
Yes that is a possibility. I will try disabling PAM (or switching the auth order) and see if that makes a difference. Thanks for the suggestion!
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 11:34 PM, Peter Chiochetti pch@myzel.net wrote:
Am 2015-07-02 um 01:41 schrieb Laz C. Peterson:
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. Any thoughts to this?
In case you have multiple passdb backends, it could be, that LDAP only gets its chance, after PAM did time out.
-- peter
Ahh Peter, good call on this one!
<beating head into desk><pause><beating head into desk again><thumbs up>
So after playing around with the order of authentication in Dovecot, you are correct, the PAM timeout was causing the holdup. I guess since PAM has no way of looking up whether or not a user exists prior to authenticating, this is causing the hiccup, versus LDAP which can search for a user’s existence prior to the auth. Switching these around, I notice almost *no* degradation in performance for PAM authentications, and the LDAP authentications run smooth as I would hope them to.
Awesome, so now we have our solution! (I think.)
Gotta say, a lot of love goes out to the Dovecot community (especially Timo!) for all the inspiration and help that I’ve received. Dovecot is a great app and this community is the backbone of it all. Cheers to all!
Thanks again.
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 2, 2015, at 6:25 AM, Laz C. Peterson laz@paravis.net wrote:
Peter,
Yes that is a possibility. I will try disabling PAM (or switching the auth order) and see if that makes a difference. Thanks for the suggestion!
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201
On Jul 1, 2015, at 11:34 PM, Peter Chiochetti pch@myzel.net wrote:
Am 2015-07-02 um 01:41 schrieb Laz C. Peterson:
I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. Any thoughts to this?
In case you have multiple passdb backends, it could be, that LDAP only gets its chance, after PAM did time out.
-- peter
participants (4)
-
Axel Luttgens
-
Laz C. Peterson
-
Peter Chiochetti
-
Philon