Proxy GSSAPI + PLAIN authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Proxy GSSAPI + PLAIN authentication

Dovecot mailing list
Hi,

I try to configure a proxy accepting GSSAPI and PLAIN authentication.

When authenticating with Kerberos, Dovecot uses master user and password to authenticate to backends (backends can be Cyrus or Exchange servers too)
When authenticating with PLAIN passwords, Dovecot sends user's login and password to the backend.

For GSSAPI, I use extrafields :
k5principals=principal@REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend

For PLAIN, I use a static driver :
passdb {
  driver = static
  args = proxy=y host=cyrus password=%w
}

I can authenticate fine with Kerberos tickets and login/password on the backend.

Trouble is that if I authenticate with PLAIN login/password, with a user known from the passdb lookup made for GSSAPI, I can authenticate with any password, it is not checked. The passdb with masteruser and nopassword=y is checked.

I can't restrict the passdb with the k5principals extrafield.

I tried static and ldap drivers, with the same wrong behaviour.
pass_attrs = \
  =proxy=Y, \
  =nopassword=Y, \
  =pass=masterpassword, \
  =login_user=%{ldap:uid}, \
  =user=masteruser, \
  =host=backend, \
  =k5principals=%{ldap:uid}@REALM
With the ldap driver, I've got auth_bind = no

The user is found in the ldap, and Dovecot logs him with the masterpassword.

If I don't configure an ldap passdb, but a userdb only, the proxy try passdb that comes after for PLAIN logins.

With a passwd-file driver, the k5principals works fine. The user isn't found if it authenticates with PLAIN.

My question is : is it possible to restrict a ldap or static passdb for GSSAPI mechanism only ?

Thanks for your help,
Regards,
Sam
Reply | Threaded
Open this post in threaded view
|

Re: Proxy GSSAPI + PLAIN authentication

Dovecot mailing list
If your dovecot is recent enough you can use mechanisms setting on passdb block. See https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
On 24/11/2019 17:17 Sam via dovecot <[hidden email]> wrote:


Hi,

I try to configure a proxy accepting GSSAPI and PLAIN authentication.

When authenticating with Kerberos, Dovecot uses master user and password to authenticate to backends (backends can be Cyrus or Exchange servers too)
When authenticating with PLAIN passwords, Dovecot sends user's login and password to the backend.

For GSSAPI, I use extrafields :
k5principals=principal@REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend

For PLAIN, I use a static driver :
passdb {
  driver = static
  args = proxy=y host=cyrus password=%w
}

I can authenticate fine with Kerberos tickets and login/password on the backend.

Trouble is that if I authenticate with PLAIN login/password, with a user known from the passdb lookup made for GSSAPI, I can authenticate with any password, it is not checked. The passdb with masteruser and nopassword=y is checked.

I can't restrict the passdb with the k5principals extrafield.

I tried static and ldap drivers, with the same wrong behaviour.
pass_attrs = \
  =proxy=Y, \
  =nopassword=Y, \
  =pass=masterpassword, \
  =login_user=%{ldap:uid}, \
  =user=masteruser, \
  =host=backend, \
  =k5principals=%{ldap:uid}@REALM
With the ldap driver, I've got auth_bind = no

The user is found in the ldap, and Dovecot logs him with the masterpassword.

If I don't configure an ldap passdb, but a userdb only, the proxy try passdb that comes after for PLAIN logins.

With a passwd-file driver, the k5principals works fine. The user isn't found if it authenticates with PLAIN.

My question is : is it possible to restrict a ldap or static passdb for GSSAPI mechanism only ?

Thanks for your help,
Regards,
Sam

---
Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: Proxy GSSAPI + PLAIN authentication

Dovecot mailing list
Thanks ! It did the trick !

We can do very different configurations with this new setting.

Regards,
Sam

Le dim. 24 nov. 2019 à 16:48, Aki Tuomi <[hidden email]> a écrit :
If your dovecot is recent enough you can use mechanisms setting on passdb block. See https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/