[Dovecot] GSSAPI and virtual Users?

older
[Dovecot] Re: Getting maildir++...

S. Thias

15 Mar 2006 15 Mar '06

3:23 p.m.

Hi,

is there a possibility to map login-names to allowed Kerberos-Principals? At the moment GSSAPI-authentication seems to work only if loginname and kerberos-principal are the same, or am I missing something? It would be really great to use GSSAPI-auth with virtual users.

Thanks a lot!

S. Thias

Show replies by date

Jelmer Vernooij

15 Mar 15 Mar

3:32 p.m.

On Wed, Mar 15, 2006 at 04:23:05PM +0100, S. Thias wrote:

...

Cheers,

Jelmer

-- Jelmer Vernooij <jelmer@samba.org> - http://jelmer.vernstok.nl/ Currently playing: Led Zeppelin - Whole Lotta Love

Timo Sirainen

25 Mar 25 Mar

10:24 a.m.

On Wed, 2006-03-15 at 16:32 +0100, Jelmer Vernooij wrote:

...

I added now a pass=yes option to passdbs. This allows doing the conversion using eg.:

passdb passwd-file { args = /etc/imap.users pass = yes }

Where the imap.users file would contain entries like:

imapuser:::::::user=realuser

Or it could be done with SQL, LDAP or whatever.

Now if only the GSSAPI code could somehow be told to do these passdb lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not really sure..

Jelmer Vernooij

1:40 p.m.

On Sat, Mar 25, 2006 at 12:24:48PM +0200, Timo Sirainen wrote:

...

On Wed, 2006-03-15 at 16:32 +0100, Jelmer Vernooij wrote:

...
On Wed, Mar 15, 2006 at 04:23:05PM +0100, S. Thias wrote:

...
is there a possibility to map login-names to allowed Kerberos-Principals? At the moment GSSAPI-authentication seems to work only if loginname and kerberos-principal are the same, or am I missing something? I'm afraid that at the moment, that's not (yet) possible. I added now a pass=yes option to passdbs. This allows doing the conversion using eg.:

...

passdb passwd-file { args = /etc/imap.users pass = yes }

...

Where the imap.users file would contain entries like:

...

imapuser:::::::user=realuser

...

Or it could be done with SQL, LDAP or whatever.

...

Now if only the GSSAPI code could somehow be told to do these passdb lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not really sure.. That shouldn't be too hard to implement I guess (at the moment we simply require that the kerberos principal matches the username). What functions do I need to call to look up the mapping?

Cheers,

Jelmer

Jelmer Vernooij <jelmer@samba.org> - http://jelmer.vernstok.nl/

Timo Sirainen

26 Mar 26 Mar

8:24 a.m.

On Sat, 2006-03-25 at 14:40 +0100, Jelmer Vernooij wrote:

...

Well, I'm not sure how it should work. My basic idea was that you could call auth_request_verify_plain() which would then succeed because the password is empty and it would also get the username changed.

But if you want to support also other ways to authenticate than GSSAPI, then you'd need to have passdbs set for that, and this idea would break. So I'm not sure exactly how this should work.

Maybe if only those pass=yes passdbs were called with some function? Or maybe there should be some new way to configure which passdbs get used for which mechanisms..

Jelmer Vernooij

6 Apr 6 Apr

6:32 p.m.

On Sun, Mar 26, 2006 at 11:24:16AM +0300, Timo Sirainen wrote:

...

On Sat, 2006-03-25 at 14:40 +0100, Jelmer Vernooij wrote:

...
...
I added now a pass=yes option to passdbs. This allows doing the conversion using eg.:

...

...
...
passdb passwd-file { args = /etc/imap.users pass = yes }

...

...
...
Where the imap.users file would contain entries like:

...

...
...
imapuser:::::::user=realuser

...

...
...
Or it could be done with SQL, LDAP or whatever.

...

...
...
Now if only the GSSAPI code could somehow be told to do these passdb lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not really sure.. That shouldn't be too hard to implement I guess (at the moment we simply require that the kerberos principal matches the username). What functions do I need to call to look up the mapping? Well, I'm not sure how it should work. My basic idea was that you could call auth_request_verify_plain() which would then succeed because the password is empty and it would also get the username changed. The GSSAPI code receives two names from the client - the principal name that is being used for the authentication and the user name to use. At the moment, we still require both to be the same user. It would be sufficient if I could check whether a particular user is allowed to log in with a particular realname. I.e. if you could provide a function:

bool passdb_user_is_realuser(const char *authuser, const char *realuser);

Or perhaps a lookup function to retrieve the realuser for a particular authuser?

...

But if you want to support also other ways to authenticate than GSSAPI, then you'd need to have passdbs set for that, and this idea would break. So I'm not sure exactly how this should work. There should be no need for that in any case.

I have the feeling I'm not quite understanding this all, but I'm not sure what it is I don't get :-)

Cheers,

Jelmer

-- Jelmer Vernooij <jelmer@samba.org> - http://jelmer.vernstok.nl/

6971

Age (days ago)

6993

Last active (days ago)

List overview

5 comments

4 participants

participants (4)

Jelmer Vernooij
Jelmer Vernooij
S. Thias
Timo Sirainen