GSSAPI vs group check
telsch
telsch at gmx.de
Fri Jun 8 16:41:22 EEST 2018
Dear All,
We are having a very similar issue with dovecot 2.2.34 as Ákos. We want
our users to authenticate via GSSAPI over Kerberos using their TGT.
Our setup is two distinct locations with their own dovecot's with access
to these being handled via LDAP auth mechanism with filters to check for
their group memberships, i.e. users from location A are in group A and
users from location B are in Group B and thus access their locations
respective dovecot.
After setting up GSSAPI authentication however we have noticed that a
user can access dovecot at location A via his Kerberos ticket even
though he is a member of Group B and not a member of Group A.
The question is, how to configure GSSAPI to not just athenticate users,
but also authorize them through checking their group memberships.
Our config:
auth_gssapi_hostname = <our servers hostname>
auth_krb5_keytab = <path to our dovecot keytab>
auth_mechanisms = plain login gssapi
passdb {
# contains passfilter for LDAP
args = /<...>/dovecot-ldap-passdb.conf.ext
driver = ldap
}
userdb {
# contains userfilter for LDAP
args = /<...>/dovecot-ldap-userdb.conf.ext
driver = ldap
}
The filters look like these:
passfilter =
(&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-pass-group,OU=example-ou,DC=example-domain,DC=net))
userfilter =
(&(objectclass=posixAccount)(cn=%u)(memberof=CN=example-user-group,OU=example-ou,DC=example-domain,DC=net))
Cheers
On 01.06.2018 13:55, Németh Ákos Ferenc wrote:
> Dear All,
>
>
> Is it possible to make any authorization (eg. checking of group
> membership) in case of GSSAPI authentication?
>
>
> Our dovecot authenticates the users against PAM and GSSAPI. In the PAM
> file I'm able to check if a user is a member of a selected (e.g
> mailreader) group. If the user is member, he can login otherwise not
> (see below). If the user has a valid Kerberos ticket and he tries to
> login via GSSAPI, I can't restrict him if he is not a member of the
> selected group.
>
>
> How can I overcome this issue?
>
>
> My config:
>
> passdb {
> driver = pam
> # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
> # [cache_key=<key>] [<service name>]
> #args = dovecot
> }
>
> userdb {
> # <doc/wiki/AuthDatabase.Passwd.txt>
> driver = passwd
> # [blocking=no]
> #args =
>
> # Override fields from passwd
> #override_fields = home=/home/virtual/%u
> }
>
>
> ...in PAM file:
>
> auth [success=1 default=ignore] pam_succeed_if.so user ingroup
> mailreader
>
> auth [success=ignore default=2] pam_succeed_if.so user ingroup
> admins
> auth [success=ignore default=1] pam_succeed_if.so uid >= 1000
> auth [success=3 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login
>
> auth [success=ignore default=1] pam_succeed_if.so uid < 1000
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> try_first_pass
>
> auth requisite pam_deny.so
>
> auth required pam_permit.so
>
>
> Thank you.
>
>
> Br,
> Ákos
>
More information about the dovecot
mailing list