[Dovecot] Dovecot authenticating---> Active Directory Win2003

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Tue Dec 9 21:32:03 EET 2008 

On Tue, Dec 09, 2008 at 01:57:43PM +0100, Thomas Siebert wrote:

> > That works but has 3 main drawbacks:
> >  1) It is a pain to setup SSL LDAP on both windows and linux. If you
> >     don't do this then it is massively insecure
> 
> Agreed, if you don't it is massively insecure. But I don't see why it should
> be that complicated. For the ADS, Microsoft gives advice:
> http://support.microsoft.com/kb/321051
> 
> ...and for Linux, there are tons of tutorials.

Right, it isn't impossible, but setting up a CA, generating certs,
installing them and enabling the magic feature (on all your ADS
servers) is much more work than setting up winbind :)

> >  2) Passwords must be exchanged in plain text over IMAP. Also no
> >     single sign on capabilities.

> Agreed there's no single sign on. But for plain text password exchange,
> there's no drawback when you use IMAPS or POP3S. And you should always do
> so. 

Well, the security advantage to all the hashing schemes is that a
compromise of your imap server does not result in a plain text
password disclosure for all users.

> For load balancing, it should be possible to use a round-robin DNS server
> instead. And you forget that the numbers of LDAP queries will be doubled as
> there's no possibility to use userdb prefetch.

I looked at load balancing with SSL LDAP once and rapidly ran into
trouble with certificate validation issues. The SSL certs in the ADS
should have unique machine names which was incompatible with a DNS
round robin. The new SRV record processing code in openldap is
supposed to avoid that problem though.

Also, winbind doesn't actually authenticate over ldap, it uses a much
lower overhead UDP protocol...

Once you no longer need to do authentication over ldap it
becomes possible to maintain a long term kerberdized LDAP session for
user database queries if you need that (though I suppose dovecot
cannot do that today).. Removing the per-user SSL setup cost would
easially gain back any overheads from even the most expensive
authentication operation that winbind does..

Heck, even being able to do a root-owned kerberdized LDAP query would
be a nice dovecot feature for ADS integration since it removes the
need for SSL setup entirely. Once samba joins an ADS domain root has
access to the host$ ticket and can do secured ldap queries using the
machine account.

Jason

More information about the dovecot mailing list