[Dovecot] [Patch] Samba's proposed "ntlm_auth + winbind" support for dovecot-auth
Timo Sirainen
tss at iki.fi
Mon Jul 2 19:56:55 EEST 2007
On Mon, 2007-07-02 at 20:19 +0400, Dmitry Butskoy wrote:
> Timo Sirainen wrote:
> >> - Currently I strip domain part of the username returned, i.e. from
> >> "DOMAIN\user" just to "user". Maybe better add some option
> >> "auth_winbind_strip_domain" for this?
> >>
> >
> > What if you changed it to user at domain? Then you could use Dovecot's
> > standard %n or %u variables.
> >
>
> AFAIK "user at domain" should have an actual form of "user at example.com",
> but "ntlm_auth" returns "EXAMPLE\user" in such a case, not
> "EXAMPLE.COM\user". At least for NTLM (against AD).
> OTOH the spnego could retrurn the actual "user at example.com", but it is
> still unknown to me :)
I don't think it's a problem even if it returned only user at example. %d
then just expands to example. At least I think it's better than not
having the domain at all.
> > There's one thing I'd want changed: make it non-blocking. Both input and
> > output are currently blocking, so dovecot-auth is stuck while waiting
> > for ntlm_auth to reply. I want to avoid this whenever possible (I don't
> > ever want to see "authentication just gets stuck, why??" mails.
> > "ntlm_auth timed out" message in log is much nicer).
> >
> > I guess ntlm_auth can handle only a single session at a time?
>
> No.
I mean simultaneously. Like you can't send multiple "begin/continue
authentication" commands to it and then just wait until one of them
finishes?
> > There's one thing I'd want changed: make it non-blocking
>
> Still actual after the clarification above?..
Yep.
> > So this
> > would pretty much require that you either implement some kind of a queue
> >
>
> Currently I prefer to use blocking io, which provides such "a queue"
> de-facto. At least for initial implementation. (I hope "ntlm_auth" is
> fast enough).
I think the problem isn't ntlm_auth itself, but that it also has to talk
to AD. So any network problems there could leave it hanging.
> But some timeout surely could be useful. How can it be implemented?
By using non-blocking I/O :)
> > or execute multiple ntlm_auths.
>
> Does the use of worker for, say, PAM userdb affects us here too?
PAM is passdb. But anyway it shouldn't affect.
> > Or maybe both. Using auth worker
> > processes would probably be best. Unfortunately that currently works
> > only for passdbs and userdbs, not for mechanisms. I guess I could try
> > changing this for v1.1, unless you want to try? :)
> >
>
> It seems that I prefer you try it... :)
>
> Does "blocking io" + "worker" look like the best way?
I think so. Or some kind of a generic queue maybe.. Hmm. Doesn't GSSAPI
have the exact same problem? I think it does. Maybe I could figure out
something for them both.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070702/79a0956d/attachment.bin
More information about the dovecot
mailing list