GSSAPI vs group check
Németh Ákos Ferenc
nemethakos at f-labor.mkt.bme.hu
Fri Jun 1 14:55:29 EEST 2018
Dear All,
Is it possible to make any authorization (eg. checking of group
membership) in case of GSSAPI authentication?
Our dovecot authenticates the users against PAM and GSSAPI. In the PAM
file I'm able to check if a user is a member of a selected (e.g
mailreader) group. If the user is member, he can login otherwise not
(see below). If the user has a valid Kerberos ticket and he tries to
login via GSSAPI, I can't restrict him if he is not a member of the
selected group.
How can I overcome this issue?
My config:
passdb {
driver = pam
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
# [cache_key=<key>] [<service name>]
#args = dovecot
}
userdb {
# <doc/wiki/AuthDatabase.Passwd.txt>
driver = passwd
# [blocking=no]
#args =
# Override fields from passwd
#override_fields = home=/home/virtual/%u
}
...in PAM file:
auth [success=1 default=ignore] pam_succeed_if.so user ingroup
mailreader
auth [success=ignore default=2] pam_succeed_if.so user ingroup
admins
auth [success=ignore default=1] pam_succeed_if.so uid >= 1000
auth [success=3 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
auth [success=ignore default=1] pam_succeed_if.so uid < 1000
auth [success=1 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Thank you.
Br,
Ákos
More information about the dovecot
mailing list