[Dovecot] [Patch] Samba's proposed "ntlm_auth + winbind" support for dovecot-auth
Dmitry Butskoy
buc at odusz.so-cdu.ru
Mon Jul 2 19:19:01 EEST 2007
Timo Sirainen wrote:
>> - Currently I strip domain part of the username returned, i.e. from
>> "DOMAIN\user" just to "user". Maybe better add some option
>> "auth_winbind_strip_domain" for this?
>>
>
> What if you changed it to user at domain? Then you could use Dovecot's
> standard %n or %u variables.
>
AFAIK "user at domain" should have an actual form of "user at example.com",
but "ntlm_auth" returns "EXAMPLE\user" in such a case, not
"EXAMPLE.COM\user". At least for NTLM (against AD).
OTOH the spnego could retrurn the actual "user at example.com", but it is
still unknown to me :)
> There's one thing I'd want changed: make it non-blocking. Both input and
> output are currently blocking, so dovecot-auth is stuck while waiting
> for ntlm_auth to reply. I want to avoid this whenever possible (I don't
> ever want to see "authentication just gets stuck, why??" mails.
> "ntlm_auth timed out" message in log is much nicer).
>
> I guess ntlm_auth can handle only a single session at a time?
No.
Normally ntlm_auth invoked at once for ALL authentication sessions. It
is a child process which lives all the time while the dovecot-auth is alive.
> There's one thing I'd want changed: make it non-blocking
Still actual after the clarification above?..
> So this
> would pretty much require that you either implement some kind of a queue
>
Currently I prefer to use blocking io, which provides such "a queue"
de-facto. At least for initial implementation. (I hope "ntlm_auth" is
fast enough).
But some timeout surely could be useful. How can it be implemented?
> or execute multiple ntlm_auths.
Does the use of worker for, say, PAM userdb affects us here too?
> Or maybe both. Using auth worker
> processes would probably be best. Unfortunately that currently works
> only for passdbs and userdbs, not for mechanisms. I guess I could try
> changing this for v1.1, unless you want to try? :)
>
It seems that I prefer you try it... :)
Does "blocking io" + "worker" look like the best way?
Regards
Dmitry Butskoy
More information about the dovecot
mailing list