[Dovecot] [Patch] Samba's proposed "ntlm_auth + winbind" support for dovecot-auth

[Timo Sirainen]

On Mon, 2007-07-02 at 16:19 +0400, Dmitry Butskoy wrote:
> - I try to code things most close to used style, i.e. using Dovecot's 
> memory-management and io-pipe routines etc., but could someone look at 
> it and check whether I've missed something or not?

close() and dup2() errors should be reported, although they're unlikely.

ostream is a bit pointless there since you're doing only a single write.
You could just use write_full().

> - Maybe some other options should be implemented, i.e. 
> "auth_winbind_helper_ntlm" and "auth_winbind_helper_spnego" to specify 
> the helper's cmdline exactly ?

Yes.

> - Currently I strip domain part of the username returned, i.e. from 
> "DOMAIN\user" just to "user". Maybe better add some option 
> "auth_winbind_strip_domain" for this?

What if you changed it to user at domain? Then you could use Dovecot's
standard %n or %u variables.

There's one thing I'd want changed: make it non-blocking. Both input and
output are currently blocking, so dovecot-auth is stuck while waiting
for ntlm_auth to reply. I want to avoid this whenever possible (I don't
ever want to see "authentication just gets stuck, why??" mails.
"ntlm_auth timed out" message in log is much nicer).

I guess ntlm_auth can handle only a single session at a time? So this
would pretty much require that you either implement some kind of a queue
or execute multiple ntlm_auths. Or maybe both. Using auth worker
processes would probably be best. Unfortunately that currently works
only for passdbs and userdbs, not for mechanisms. I guess I could try
changing this for v1.1, unless you want to try? :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070702/46d251bf/attachment.bin