[Dovecot] check password on behalf of user
I'm running KDC with all users and passwords, but have to manage clients who doesn't support GSSAPI like mobile phones. Is it possible to dovecot SASL check password in KDC when user sends plain text login? I know this is possible to do with saslauthd from Cyrus but prefer to stick with dovecot SASL.
On Tue, 2010-02-09 at 20:47 +0300, Nikolay Shopik wrote:
I'm running KDC with all users and passwords, but have to manage clients who doesn't support GSSAPI like mobile phones. Is it possible to dovecot SASL check password in KDC when user sends plain text login? I know this is possible to do with saslauthd from Cyrus but prefer to stick with dovecot SASL.
Not directly, but how about pam_krb5?
On 09.02.2010 21:10, Timo Sirainen wrote:
On Tue, 2010-02-09 at 20:47 +0300, Nikolay Shopik wrote:
I'm running KDC with all users and passwords, but have to manage clients who doesn't support GSSAPI like mobile phones. Is it possible to dovecot SASL check password in KDC when user sends plain text login? I know this is possible to do with saslauthd from Cyrus but prefer to stick with dovecot SASL.
Not directly, but how about pam_krb5?
But this won't work if I have virtual users, right?
On Tue, 2010-02-09 at 21:12 +0300, Nikolay Shopik wrote:
On 09.02.2010 21:10, Timo Sirainen wrote:
On Tue, 2010-02-09 at 20:47 +0300, Nikolay Shopik wrote:
I'm running KDC with all users and passwords, but have to manage clients who doesn't support GSSAPI like mobile phones. Is it possible to dovecot SASL check password in KDC when user sends plain text login? I know this is possible to do with saslauthd from Cyrus but prefer to stick with dovecot SASL.
Not directly, but how about pam_krb5?
But this won't work if I have virtual users, right?
I guess it depends on if pam_krb5 tries to use NSS. If it doesn't, I don't see why it couldn't work.
On 09.02.2010 21:14, Timo Sirainen wrote:
On Tue, 2010-02-09 at 21:12 +0300, Nikolay Shopik wrote:
On 09.02.2010 21:10, Timo Sirainen wrote:
On Tue, 2010-02-09 at 20:47 +0300, Nikolay Shopik wrote:
I'm running KDC with all users and passwords, but have to manage clients who doesn't support GSSAPI like mobile phones. Is it possible to dovecot SASL check password in KDC when user sends plain text login? I know this is possible to do with saslauthd from Cyrus but prefer to stick with dovecot SASL.
Not directly, but how about pam_krb5?
But this won't work if I have virtual users, right?
I guess it depends on if pam_krb5 tries to use NSS. If it doesn't, I don't see why it couldn't work.
Sounds promising, could you point me to any example or documentation how to accomplish this?
On Tue, 2010-02-09 at 21:17 +0300, Nikolay Shopik wrote:
I guess it depends on if pam_krb5 tries to use NSS. If it doesn't, I don't see why it couldn't work.
Sounds promising, could you point me to any example or documentation how to accomplish this?
Nope. Never used Kerberos, and I don't know much about PAM either.
Anyway, I guess basically you'll follow any HOWTO that describes how to set up pam_krb5. Just don't enable pam_krb5 for non-Dovecot logins and it'll be fine.
participants (2)
-
Nikolay Shopik
-
Timo Sirainen