[Dovecot] An alternate "dovecot-auth" daemon using cyrus-sasl

Andrey Panin pazke at donpac.ru
Tue Sep 6 08:44:53 EEST 2005


On 248, 09 05, 2005 at 03:48:19PM +0400, buc wrote:
>  We use dovecot in a heterogeneous environment (Windows/Linux desktops 
> and Linux servers).  For unified authentication we use a sheaf 
> "Samba/Openldap" (i.e., Samba NT domain with openldap backend and 
> pam/nss_ldap for Linux).

So why you can't use dovecot with openldap as passdb ?

>  Windows users are authenticated well everywhere, but there is one old 
> issue. As "SPA" (NTLM) against NT domain is not supported by dovecot, it 
> is necessary to use default "plain" method. In addition to security 
> problems, it does also a problem of password unification. Each time a 
> user changes the password, he should do it one more time for the mail 
> program.
> 
>  I know that dovecot supports NTLM, however against local database only 
> (not for NT domain controller). In early versions support of cyrus-sasl 
> (which supports NTLM now) had been incorporated, however it like not 
> work and now is removed.
>  Fortunately, there is a possibility to substitute dovecot-auth 
> executable. Therefore I have tried to make an alternate variant of 
> dovecot-auth, which supports all that we need.
> 
>  For us, it seems to be more useful to create an auth daemon using 
> cyrus-sasl, rather than to add domain support to existing ntlm code. 
> First of all, it is easier for implementation. Besides it enables use of 
> all mechanisms supported by cyrus-sasl (present and future), including 
> GSSAPI. Anyway, it will be the useful additive to dovecot.

Dovecot doesn't support cyrus-sasl for a good reason - it's a mess.

>  I have made appropriate patches for both dovecot-1.0-stable and 
> dovecot-1.0.alpha1.
>  The idea is to copy "src/auth" to "src/auth-cyrus", strip all unneeded 
> from newly created directory and add cyrus-sasl support. The resulting 
> code probably looks not so elegantly as if it has been written 
> separately, however this way allows to not make a lot of things from the 
> scratch.
> 
> 
>  The patch against 1.0.alpha1 is 
> here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
>  To be more readable, it is not a flat patch (due to a lot of whole 
> files add/remove). It is a tarball with 3 files: a list of files to 
> initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and 
> a script which automates this steps (:-)). (The script should be run in 
> the root of the main source, i.e. a dir with src/ and doc/ subdirs).
> 
> I already have successfully tested this patch with PLAIN method. 
> However before testing of other methods, it would be desirable that 
> somebody have looked at it.
> 
>  Whether someone could check up my patch (just fluently having read), 
> at least for obvious bugs and typos?
> 
> 
>        Dmitry Butskoy <Dmitry at Butskoy.name>
>        Saint-Petersburg, Russia
>        Red Hat Certified Engineer 809003662809495
> 
> 
> 

-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net


More information about the dovecot mailing list