[Dovecot] An alternate "dovecot-auth" daemon using cyrus-sasl

Andrey Panin pazke at donpac.ru
Tue Sep 6 13:21:22 EEST 2005 

On 249, 09 06, 2005 at 01:35:58PM +0400, Dmitry Butskoy wrote:
> Andrey Panin wrote:
> 
> >On 248, 09 05, 2005 at 03:48:19PM +0400, buc wrote:
> > 
> >
> >>We use dovecot in a heterogeneous environment (Windows/Linux desktops 
> >>and Linux servers).  For unified authentication we use a sheaf 
> >>"Samba/Openldap" (i.e., Samba NT domain with openldap backend and 
> >>pam/nss_ldap for Linux).
> >>   
> >>
> >So why you can't use dovecot with openldap as passdb ?
> >
> Yes, now we use dovecot with pam, which uses openldap by pam_ldap etc... 
> But PAM can handle plain passwords only, therefore it is not suitable 
> for NTLM.
>   I have not found it in examples, but may be dovecot`s ntlm can take 
> appropriate password hashes from openldap directly? 
> (sambaLMPassword/sambaNTPassword)

Yes, dovecot can handle LM/NTLM password hashes and it can fetch them
from OpenLDAP directly (look at doc/dovecot-ldap.conf)

In general you can store passwords in any supported form, just add proper
password scheme prefix. For example: {NTLM}69943C5E63B4D2C104DBBCC15138B72B
For more information read here: http://wiki.dovecot.org/Authentication

> >>Windows users are authenticated well everywhere, but there is one old 
> >>issue. As "SPA" (NTLM) against NT domain is not supported by dovecot, it 
> >>is necessary to use default "plain" method. In addition to security 
> >>problems, it does also a problem of password unification. Each time a 
> >>user changes the password, he should do it one more time for the mail 
> >>program.
> >>
> >>I know that dovecot supports NTLM, however against local database only 
> >>(not for NT domain controller). In early versions support of cyrus-sasl 
> >>(which supports NTLM now) had been incorporated, however it like not 
> >>work and now is removed.
> >>Fortunately, there is a possibility to substitute dovecot-auth 
> >>executable. Therefore I have tried to make an alternate variant of 
> >>dovecot-auth, which supports all that we need.
> >>
> >>For us, it seems to be more useful to create an auth daemon using 
> >>cyrus-sasl, rather than to add domain support to existing ntlm code. 
> >>First of all, it is easier for implementation. Besides it enables use of 
> >>all mechanisms supported by cyrus-sasl (present and future), including 
> >>GSSAPI. Anyway, it will be the useful additive to dovecot.
> >>   
> >>
> >
> >Dovecot doesn't support cyrus-sasl for a good reason - it's a mess.
> > 
> >
> Certainly, I do not suggest to switch to use cyrus-sasl in upstream dovecot.
> 
> But can give this patch the right to a life? Somewhere in "unofficial 
> patches"...
>
> >>I have made appropriate patches for both dovecot-1.0-stable and 
> >>dovecot-1.0.alpha1.
> >>The idea is to copy "src/auth" to "src/auth-cyrus", strip all unneeded 
> >>from newly created directory and add cyrus-sasl support. The resulting 
> >>code probably looks not so elegantly as if it has been written 
> >>separately, however this way allows to not make a lot of things from the 
> >>scratch.
> >>
> >>
> >>The patch against 1.0.alpha1 is 
> >>here: http://dmitry.butskoy.name/dovecot/dovecot-1.0.alpha1-cyrus.tar.gz .
> >>To be more readable, it is not a flat patch (due to a lot of whole 
> >>files add/remove). It is a tarball with 3 files: a list of files to 
> >>initial copy from auth/ to auth-cyrus/, a patch for resulting tree, and 
> >>a script which automates this steps (:-)). (The script should be run in 
> >>the root of the main source, i.e. a dir with src/ and doc/ subdirs).
> >>
> >>I already have successfully tested this patch with PLAIN method. 
> >>However before testing of other methods, it would be desirable that 
> >>somebody have looked at it.
> >>
> >>Whether someone could check up my patch (just fluently having read), 
> >>at least for obvious bugs and typos?
> >>   
> >>
> 
>       Dmitry Butskoy <Dmitry at Butskoy.name>
>       Saint-Petersburg, Russia
>       Red Hat Certified Engineer 809003662809495
> 
> 

-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net

More information about the dovecot mailing list