Proxy GSSAPI + PLAIN authentication
Sam
dc at a7e.app
Sun Nov 24 17:17:46 EET 2019
Hi,
I try to configure a proxy accepting GSSAPI and PLAIN authentication.
When authenticating with Kerberos, Dovecot uses master user and password to
authenticate to backends (backends can be Cyrus or Exchange servers too)
When authenticating with PLAIN passwords, Dovecot sends user's login and
password to the backend.
For GSSAPI, I use extrafields :
k5principals=principal at REALM proxy=Y pass=masterpassword
login_user=principal user=masteruser host=backend
For PLAIN, I use a static driver :
passdb {
driver = static
args = proxy=y host=cyrus password=%w
}
I can authenticate fine with Kerberos tickets and login/password on the
backend.
Trouble is that if I authenticate with PLAIN login/password, with a user
known from the passdb lookup made for GSSAPI, I can authenticate with any
password, it is not checked. The passdb with masteruser and nopassword=y is
checked.
I can't restrict the passdb with the k5principals extrafield.
I tried static and ldap drivers, with the same wrong behaviour.
pass_attrs = \
=proxy=Y, \
=nopassword=Y, \
=pass=masterpassword, \
=login_user=%{ldap:uid}, \
=user=masteruser, \
=host=backend, \
=k5principals=%{ldap:uid}@REALM
With the ldap driver, I've got auth_bind = no
The user is found in the ldap, and Dovecot logs him with the masterpassword.
If I don't configure an ldap passdb, but a userdb only, the proxy try
passdb that comes after for PLAIN logins.
With a passwd-file driver, the k5principals works fine. The user isn't
found if it authenticates with PLAIN.
My question is : is it possible to restrict a ldap or static passdb for
GSSAPI mechanism only ?
Thanks for your help,
Regards,
Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191124/ad699fb0/attachment-0001.html>
More information about the dovecot
mailing list