[Dovecot] An alternate "dovecot-auth" daemon using cyrus-sasl
We use dovecot in a heterogeneous environment (Windows/Linux desktops and Linux servers). For unified authentication we use a sheaf "Samba/Openldap" (i.e., Samba NT domain with openldap backend and pam/nss_ldap for Linux). Windows users are authenticated well everywhere, but there is one old issue. As "SPA" (NTLM) against NT domain is not supported by dovecot, it is necessary to use default "plain" method. In addition to security problems, it does also a problem of password unification. Each time a user changes the password, he should do it one more time for the mail program.
I know that dovecot supports NTLM, however against local database only (not for NT domain controller). In early versions support of cyrus-sasl (which supports NTLM now) had been incorporated, however it like not work and now is removed. Fortunately, there is a possibility to substitute dovecot-auth executable. Therefore I have tried to make an alternate variant of dovecot-auth, which supports all that we need.
For us, it seems to be more useful to create an auth daemon using cyrus-sasl, rather than to add domain support to existing ntlm code. First of all, it is easier for implementation. Besides it enables use of all mechanisms supported by cyrus-sasl (present and future), including GSSAPI. Anyway, it will be the useful additive to dovecot.
I have made appropriate patches for both dovecot-1.0-stable and dovecot-1.0.alpha1. The idea is to copy "src/auth" to "src/auth-cyrus", strip all unneeded from newly created directory and add cyrus-sasl support. The resulting code probably looks not so elegantly as if it has been written separately, however this way allows to not make a lot of things from the scratch.
The patch against 1.0.alpha1 is here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz . To be more readable, it is not a flat patch (due to a lot of whole files add/remove). It is a tarball with 3 files: a list of files to initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and a script which automates this steps (:-)). (The script should be run in the root of the main source, i.e. a dir with src/ and doc/ subdirs).
I already have successfully tested this patch with PLAIN method. However before testing of other methods, it would be desirable that somebody have looked at it.
Whether someone could check up my patch (just fluently having read), at least for obvious bugs and typos?
Dmitry Butskoy <Dmitry@Butskoy.name>
Saint-Petersburg, Russia
Red Hat Certified Engineer 809003662809495On 248, 09 05, 2005 at 03:48:19PM +0400, buc wrote:
We use dovecot in a heterogeneous environment (Windows/Linux desktops and Linux servers). For unified authentication we use a sheaf "Samba/Openldap" (i.e., Samba NT domain with openldap backend and pam/nss_ldap for Linux).
So why you can't use dovecot with openldap as passdb ?
Windows users are authenticated well everywhere, but there is one old issue. As "SPA" (NTLM) against NT domain is not supported by dovecot, it is necessary to use default "plain" method. In addition to security problems, it does also a problem of password unification. Each time a user changes the password, he should do it one more time for the mail program.
I know that dovecot supports NTLM, however against local database only (not for NT domain controller). In early versions support of cyrus-sasl (which supports NTLM now) had been incorporated, however it like not work and now is removed. Fortunately, there is a possibility to substitute dovecot-auth executable. Therefore I have tried to make an alternate variant of dovecot-auth, which supports all that we need.
For us, it seems to be more useful to create an auth daemon using cyrus-sasl, rather than to add domain support to existing ntlm code. First of all, it is easier for implementation. Besides it enables use of all mechanisms supported by cyrus-sasl (present and future), including GSSAPI. Anyway, it will be the useful additive to dovecot.
Dovecot doesn't support cyrus-sasl for a good reason - it's a mess.
I have made appropriate patches for both dovecot-1.0-stable and dovecot-1.0.alpha1. The idea is to copy "src/auth" to "src/auth-cyrus", strip all unneeded from newly created directory and add cyrus-sasl support. The resulting code probably looks not so elegantly as if it has been written separately, however this way allows to not make a lot of things from the scratch.
The patch against 1.0.alpha1 is here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz . To be more readable, it is not a flat patch (due to a lot of whole files add/remove). It is a tarball with 3 files: a list of files to initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and a script which automates this steps (:-)). (The script should be run in the root of the main source, i.e. a dir with src/ and doc/ subdirs).
I already have successfully tested this patch with PLAIN method. However before testing of other methods, it would be desirable that somebody have looked at it.
Whether someone could check up my patch (just fluently having read), at least for obvious bugs and typos?
Dmitry Butskoy <Dmitry@Butskoy.name> Saint-Petersburg, Russia Red Hat Certified Engineer 809003662809495
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On Mon, 2005-09-05 at 15:48 +0400, buc wrote:
The patch against 1.0.alpha1 is here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz . To be more readable, it is not a flat patch (due to a lot of whole files add/remove). It is a tarball with 3 files: a list of files to initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and a script which automates this steps (:-)). (The script should be run in the root of the main source, i.e. a dir with src/ and doc/ subdirs).
I already have successfully tested this patch with PLAIN method. However before testing of other methods, it would be desirable that somebody have looked at it.
Whether someone could check up my patch (just fluently having read), at least for obvious bugs and typos?
Didn't see anything obviously wrong there.
In general I wouldn't mind having a standalone cyrus-sasl auth daemon that's compatible with dovecot-auth, but it'd have to be standalone instead of being distributed with Dovecot itself.
A lot more code could be removed from dovecot-auth besides what you already did. Probably better idea would be to just build a new one from scratch..
Also one thing that could be a problem is that Cyrus SASL's calls are blocking, so either you should be running many dovecot-cyrus-auth processes (I'm not sure how well that works nowadays), or you could change the code to use auth-worker processes where the Cyrus code is run the way dovecot-auth now does with MySQL.
Timo Sirainen wrote:
On Mon, 2005-09-05 at 15:48 +0400, buc wrote:
The patch against 1.0.alpha1 is here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
Didn't see anything obviously wrong there.
In general I wouldn't mind having a standalone cyrus-sasl auth daemon that's compatible with dovecot-auth, but it'd have to be standalone instead of being distributed with Dovecot itself.
I agree. However at the moment I would like to use a ready code, rather than to write all from the scratch. My be distribute it as a patch, not complete code itself?..
A lot more code could be removed from dovecot-auth besides what you already did.
You mean userdb stuff?
Probably better idea would be to just build a new one from scratch..
I'll think about it.
Is it true that this new "from-the scratch" one can be compatible with both "stable" and "alpha1" versions simultaneously?
What is the best way of integration of such a daemon with dovecot system? (There are some different ways, as can be seen at the end of dovecot.conf file...) Whether you have some skeleton (examples, tests etc.) of such an auth daemon?
Thanks, Dmitry Butskoy
participants (4)
-
Andrey Panin
-
buc
-
Dmitry Butskoy
-
Timo Sirainen