[Dovecot] [Patch] Samba's proposed "ntlm_auth + winbind" support for dovecot-auth

Dmitry Butskoy buc at odusz.so-cdu.ru
Mon Jul 2 19:19:01 EEST 2007


Timo Sirainen wrote:
>> - Currently I strip domain part of the username returned, i.e. from 
>> "DOMAIN\user" just to "user". Maybe better add some option 
>> "auth_winbind_strip_domain" for this?
>>     
>
> What if you changed it to user at domain? Then you could use Dovecot's
> standard %n or %u variables.
>   

AFAIK "user at domain" should have an actual form of "user at example.com", 
but "ntlm_auth" returns "EXAMPLE\user" in such a case, not 
"EXAMPLE.COM\user". At least for NTLM (against AD).
OTOH the spnego could retrurn the actual "user at example.com", but it is 
still unknown to me :)
> There's one thing I'd want changed: make it non-blocking. Both input and
> output are currently blocking, so dovecot-auth is stuck while waiting
> for ntlm_auth to reply. I want to avoid this whenever possible (I don't
> ever want to see "authentication just gets stuck, why??" mails.
> "ntlm_auth timed out" message in log is much nicer).
>
> I guess ntlm_auth can handle only a single session at a time? 

No.

Normally ntlm_auth invoked at once for ALL authentication sessions. It 
is a child process which lives all the time while the dovecot-auth is alive.

> There's one thing I'd want changed: make it non-blocking

Still actual after the clarification above?..

> So this
> would pretty much require that you either implement some kind of a queue
>   

Currently I prefer to use blocking io, which provides such "a queue" 
de-facto. At least for initial implementation. (I hope "ntlm_auth" is 
fast enough).

But some timeout surely could be useful. How can it be implemented?

> or execute multiple ntlm_auths.

Does the use of worker for, say,  PAM userdb affects us here too?

>  Or maybe both. Using auth worker
> processes would probably be best. Unfortunately that currently works
> only for passdbs and userdbs, not for mechanisms. I guess I could try
> changing this for v1.1, unless you want to try? :)
>   

It seems that I prefer you try it... :)

Does "blocking io" + "worker" look like the best way?


Regards
Dmitry Butskoy



More information about the dovecot mailing list