[Dovecot] Proxy and SSO (single sign-on)

[Miguel Tormo]

El Miércoles, 4 de Abril de 2012 13:47:47 Miguel Tormo escribió:
> El Miércoles, 4 de Abril de 2012 13:21:33 Timo Sirainen escribió:
> > On 4.4.2012, at 14.18, Miguel Tormo wrote:
> > 
> > > I have a running setup with a dovecot imap4/pop3 proxy to a few dovecot backend servers which actually store the mailboxes. This is running smoothly and allows me to transparently distribute mailboxes.
> > > I'm using some "extrafield" configured in the LDAP passdb.
> > > 
> > > However, now I would like to use GSSAPI (preferred) and NTLM for single sign-on. Both are pretty straightforward to configure in a single instance environment, but I don't know if they would work with proxy. For example, with GSSAPI there are two cases:
> > >  1) Just use gssapi mechanism, without PAM. Then, it a user presents a ticket the passdb ldap is not used, so the extrafields are never read.
> > 
> > The patch in http://dovecot.org/list/dovecot/2012-March/064331.html makes this work I think. I still haven't managed to look into it much though.
> > 
> > 
> 
> It definitely is worth a look. I wonder if it would make ldap extrafields lookups work with gssapi auth, I will try it and post the results.

Well just in case someone is interested: I applied Sam Morris' patch and got this working. Very nice indeed. To keep in mind:
 - It's necessary to set a master password for the backend server so the proxy instance can impersonate any user when connecting to the backend instance. I needed to do this to make GSSAPI with proxy work (thus the proxy instance is who actually does the authentication), however NTLM worked without a masster password, it seems this authenticatiom mechanism can be forwarded as is.
 - In the LDAP configuration, "auth bind" must be set to "no". Obviously, when using sso you don't provide a password, so there is no way it can bind to the LDAP server with your credentials.

There is still a problem that might be more related to the MUA, but still if anyone has a suggestion I would appreciate it.
The problem is the following: if you are a roaming user (ie: with a laptop)  when you are outside the LAN you cannot get a kerberos ticket thus the GSSAPI auth fails. Then you have to change your account configuration and select a password-based authentication mechanism. This is not very convenient. However, this is different if compared with kerberos authentication with a web browser: if you have a valid ticket, access is granted; if not, the browser prompts for user/password and then you are granted access if the supplied credentials are valid.

Do you have any idea if something like this is possible to accomplish with IMAP?


Thank you and regards,