[Dovecot] LDAP and GSSAPI problems

[Trever L. Adams]

On 02/05/2011 06:35 PM, Jason Gunthorpe wrote:
> On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
>> On 02/02/2011 04:17 PM, Timo Sirainen wrote:
>>> It does set that, but only on first GSSAPI authentication. I guess it
>>> wouldn't hurt moving it to do it always. If that script helps you, I can
>>> do this change.
>> It appears that the script you recommended doesn't do the trick. Does
>> /usr/libexec/dovecot/auth clear the environment. Even doing it manually
>> from the command line the openldap stuff doesn't seem to pick up the
>> KRB5_KTNAME environment variable.
> Isn't it called KRB5CCNAME?
Yes. Some things (Amanda, at least from the directions, I haven't done
it yet) actually still use service principals which are KRB5_KTNAME. For
credentials in most clients, yes, KRB5CCNAME and that does work.
> Presumably if dovecot has SASL setup properly for Openldap then it
> will work just fine if KRB5CCNAME is properly exported to it.
>
> However! Be aware that the TGT must be refreshed periodically, that
> is just how kerberos works.
Yes, this refresh is EXACTLY what I have been trying to avoid with
service principals. I am starting to wish that Samba 4 supported SASL
CRAM-MD5 or something so that I could just use that; no refresh.
>> I can kinit on the command line and get auth to work, but the kinit
>> doesn't hold over to the dovecot process (for good reasons I am sure).
>
> The *ideal* world would be if dovecot supported an in-memory ticket
> cache that it stored a TGT for a given UPN that it initializes using a
> given keytab. This is what samba does internally and realistically is
> required to use kerberos as a client.
I would prefer an SPN if it were at all possible. On reading that again,
I think we are saying about the same thing. This would be fantastic.
Heck, if I knew how to do that manually I could just script it, but,
being new to Kerberos and LDAP I am missing a lot as I read the
documentation, I am sure.
> IMHO, doing ldap without kerb is kinda sketchy unless you completely
> trust your network - it is easy to spoof ldap replies, kerb fixes
> that and has low overhead compared to ssl.
>
> Jason
Yes, this is exactly the reasons I am trying to get there. The problem
is the refresh. Somehow I need to get around having to refresh the CC or
use a keytab with SPNs.

Thank you for all your input. I am afraid this is the same problem I am
going to hit with Postfix (it does a similar setup to Dovecot, I am just
not running the recent version yet that supports it).

Timo, is it possible for you to add that "import_environment
=KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc"
(does this really need to be set over and over or can the master process
set it and have the environment inherited... it has been a long time
since I did any coding related to environment variables accross forks,
etc.)? This will solve all the problems (whether keytab or
credentialcache) other than the fact that OpenLDAP as a client won't
work with a keytab (SPN) and that Kerberos will require a refresh of the
credential cache.

Thank you Jason and Timo for helping me find a good solution,
Trever
-- 
"All that is necessary for the triumph of evil is that enough good men
do nothing." -- Edmund Burke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20110205/2f597283/attachment.bin