[Dovecot] GSSAPI and virtual Users?
Jelmer Vernooij
jelmer at samba.org
Thu Apr 6 21:32:10 EEST 2006
On Sun, Mar 26, 2006 at 11:24:16AM +0300, Timo Sirainen wrote:
> On Sat, 2006-03-25 at 14:40 +0100, Jelmer Vernooij wrote:
> > > I added now a pass=yes option to passdbs. This allows doing the
> > > conversion using eg.:
> > > passdb passwd-file {
> > > args = /etc/imap.users
> > > pass = yes
> > > }
> > > Where the imap.users file would contain entries like:
> > > imapuser:::::::user=realuser
> > > Or it could be done with SQL, LDAP or whatever.
> > > Now if only the GSSAPI code could somehow be told to do these passdb
> > > lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not
> > > really sure..
> > That shouldn't be too hard to implement I guess (at the moment
> > we simply require that the kerberos principal matches the username).
> > What functions do I need to call to look up the mapping?
> Well, I'm not sure how it should work. My basic idea was that you could
> call auth_request_verify_plain() which would then succeed because the
> password is empty and it would also get the username changed.
The GSSAPI code receives two names from the client - the principal
name that is being used for the authentication and the user name to
use. At the moment, we still require both to be the same user. It
would be sufficient if I could check whether a particular user is
allowed to log in with a particular realname. I.e. if you could
provide a function:
bool passdb_user_is_realuser(const char *authuser, const char *realuser);
Or perhaps a lookup function to retrieve the realuser for a particular
authuser?
> But if you want to support also other ways to authenticate than GSSAPI,
> then you'd need to have passdbs set for that, and this idea would break.
> So I'm not sure exactly how this should work.
There should be no need for that in any case.
I have the feeling I'm not quite understanding this all, but I'm not
sure what it is I don't get :-)
Cheers,
Jelmer
--
Jelmer Vernooij <jelmer at samba.org> - http://jelmer.vernstok.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20060406/27566a90/attachment.pgp
More information about the dovecot
mailing list