GSSAPI vs group check

telsch telsch at gmx.de
Fri Jun 8 16:41:22 EEST 2018 

Dear All,

We are having a very similar issue with dovecot 2.2.34 as Ákos. We want 
our users to authenticate via GSSAPI over Kerberos using their TGT.

Our setup is two distinct locations with their own dovecot's with access 
to these being handled via LDAP auth mechanism with filters to check for 
their group memberships, i.e. users from location A are in group A and 
users from location B are in Group B and thus access their locations 
respective dovecot.

After setting up GSSAPI authentication however we have noticed that a 
user can access dovecot at location A via his Kerberos ticket even 
though he is a member of Group B and not a member of Group A.

The question is, how to configure GSSAPI to not just athenticate users, 
but also authorize them through checking their group memberships.

Our config:

auth_gssapi_hostname = <our servers hostname>
auth_krb5_keytab = <path to our dovecot keytab>
auth_mechanisms = plain login gssapi

passdb {
   # contains passfilter for LDAP
   args = /<...>/dovecot-ldap-passdb.conf.ext
   driver = ldap
}

userdb {
   # contains userfilter for LDAP
   args = /<...>/dovecot-ldap-userdb.conf.ext
   driver = ldap
}

The filters look like these:

passfilter = 
(&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-pass-group,OU=example-ou,DC=example-domain,DC=net))
userfilter = 
(&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-user-group,OU=example-ou,DC=example-domain,DC=net))

Cheers


On 01.06.2018 13:55, Németh Ákos Ferenc wrote:
> Dear All,
> 
> 
> Is it possible to make any authorization (eg. checking of group 
> membership) in case of GSSAPI authentication?
> 
> 
> Our dovecot authenticates the users against PAM and GSSAPI. In the PAM 
> file I'm able to check if a user is a member of a selected (e.g 
> mailreader) group. If the user is member, he can login otherwise not 
> (see below). If the user has a valid Kerberos ticket and he tries to 
> login via GSSAPI, I can't restrict him if he is not a member of the 
> selected group.
> 
> 
> How can I overcome this issue?
> 
> 
> My config:
> 
> passdb {
>    driver = pam
>    # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
>    # [cache_key=<key>] [<service name>]
>    #args = dovecot
> }
> 
> userdb {
>    # <doc/wiki/AuthDatabase.Passwd.txt>
>    driver = passwd
>    # [blocking=no]
>    #args =
> 
>    # Override fields from passwd
>    #override_fields = home=/home/virtual/%u
> }
> 
> 
> ...in PAM file:
> 
> auth    [success=1 default=ignore]      pam_succeed_if.so user ingroup 
> mailreader
> 
> auth    [success=ignore default=2]      pam_succeed_if.so user ingroup 
> admins
> auth    [success=ignore default=1]      pam_succeed_if.so uid >= 1000
> auth    [success=3 default=ignore]      pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE cached_login
> 
> auth    [success=ignore default=1]      pam_succeed_if.so uid < 1000
> auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
> try_first_pass
> 
> auth    requisite                       pam_deny.so
> 
> auth    required                        pam_permit.so
> 
> 
> Thank you.
> 
> 
> Br,
> Ákos
>

More information about the dovecot mailing list