[Dovecot] GSSAPI and virtual Users?

Timo Sirainen tss at iki.fi
Sun Mar 26 11:24:16 EEST 2006


On Sat, 2006-03-25 at 14:40 +0100, Jelmer Vernooij wrote:
> > I added now a pass=yes option to passdbs. This allows doing the
> > conversion using eg.:
> 
> > passdb passwd-file {
> >   args = /etc/imap.users
> >   pass = yes
> > }
> 
> > Where the imap.users file would contain entries like:
> 
> > imapuser:::::::user=realuser
> 
> > Or it could be done with SQL, LDAP or whatever.
> 
> > Now if only the GSSAPI code could somehow be told to do these passdb
> > lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not
> > really sure..
> That shouldn't be too hard to implement I guess (at the moment 
> we simply require that the kerberos principal matches the username).
> What functions do I need to call to look up the mapping?

Well, I'm not sure how it should work. My basic idea was that you could
call auth_request_verify_plain() which would then succeed because the
password is empty and it would also get the username changed.

But if you want to support also other ways to authenticate than GSSAPI,
then you'd need to have passdbs set for that, and this idea would break.
So I'm not sure exactly how this should work.

Maybe if only those pass=yes passdbs were called with some function? Or
maybe there should be some new way to configure which passdbs get used
for which mechanisms..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20060326/c5464f57/attachment-0001.pgp


More information about the dovecot mailing list