Dovecot auth username mapping

Philon bytesplit at gmail.com
Thu Jul 2 06:51:14 UTC 2015


Hi Laz,

I’m just wondering… why are you using LDAP and/or PAM to access the MySQL server? If also the password is stored in the db you could use MySQL directly?

Because then you could use password_query and user_query to actually split the provided email address into name and domain parts. Then you can lookup each individually or adjust as needed...

I have something like this:
user_query = SELECT CONCAT('/var/mail/virtual/', SUBSTRING(`mail_addr`, LOCATE('@', `mail_addr`) +1 ), '/', \
  SUBSTRING(`mail_addr`, 1, LOCATE('@', `mail_addr`) -1) ) AS 'home', '1000' AS 'uid', \
  '8' AS 'gid', CONCAT('*:bytes=', `quota`, 'M') AS 'quota_rule' FROM `mail_users` \
  WHERE `mail_addr` = '%u' AND `status` = 'ok' AND `mail_type` LIKE '%%_mail%%‘

With an SQL statement you could even use sub-selects and whatnot to do complicated things. Perhaps you could do something similar with the LDAP string but I never used LDAP that much…


Philon

> Am 02.07.2015 um 02:27 schrieb Laz C. Peterson <laz at paravis.net>:
> 
> It’s actually unbelievable how much slower LDAP auth is than PAM.  Does anyone have any suggestions how I can improve Dovecot LDAP auth?  I have tried caching authentications and that doesn’t help either.
> 
> ~ Laz Peterson
> Paravis, LLC
> Ph: 951.319.3240 x201
> 
>> On Jul 1, 2015, at 4:41 PM, Laz C. Peterson <laz at paravis.net> wrote:
>> 
>> Thank you for the response Axel.  I will look into that.
>> 
>> I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow.  For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately.  When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing.
>> 
>> I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow!  This would definitely be an option though, as it does serve the purpose.  I just can’t figure out how to fix the performance issue.  Any thoughts to this?
>> 
>> ~ Laz Peterson
>> Paravis, LLC
>> Ph: 951.319.3240 x201
>> 
>>> On Jul 1, 2015, at 3:24 PM, Axel Luttgens <axel.luttgens at skynet.be> wrote:
>>> 
>>> 
>>>> Le 1 juil. 2015 à 04:38, Laz C. Peterson
>>> 
>>>> a écrit :
>>>> 
>>>> I have an interesting case here …
>>>> 
>>>> Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM.  PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz at PARAVIS.LOCAL <mailto:laz at PARAVIS.LOCAL> and my email address would be laz at paravis.net <mailto:laz at paravis.net>.
>>>> 
>>>> All of this works just fine.  But what I want to do is allow the users to log in using their email address and not their full Kerberos name.  It is becoming laborious to help the users understand the difference between their username at LOCAL.REALM and username at email.address <mailto:username at email.address> and why we have to have two separate identities that mean the same thing.
>>>> 
>>>> I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either).  But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username.
>>>> 
>>>> I’m sure there has to be a way.  Any help will be greatly appreciated.  Thank you!
>>> 
>>> Hello Laz,
>>> 
>>> I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
>>> 
>>> Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in.
>>> 
>>> That said, I hope to be wrong,
>>> Axel



More information about the dovecot mailing list