On 02/02/2011 02:38 PM, Timo Sirainen wrote:
> On Wed, 2011-02-02 at 14:29 -0700, Trever L. Adams wrote:
>> dn = smtp/mailhost.example....@example.org
>> sasl_bind = yes
>> sasl_mech = GSSAPI
>> sasl_realm = EXAMPLE.ORG
>> sasl_authz_id = smtp/mailhost.example....@example.org
> LDAP SASL authentication goes through Cyrus SASL library, nothing
> Dovecot can do about it, except for me to write my own LDAP library.
Ok. I can understand that.
>> Additionally, I have "auth_krb5_keytab = /etc/dovecot/krb5.keytab" setup
>> for the GSSAPI user login.
> So this setting is never used. If that's the problem, you could try if
> you can work around it in a bit kludgy way:
>
> service auth {
> executable = /usr/local/bin/auth-wrapper.sh
> }
>
> Which contains:
>
> #!/bin/sh
> export KRB5_KTNAME=/etc/dovecot/krb5.keytab
> exec /usr/local/libexec/dovecot/auth -k
I thought I saw a patch on the mailing list in 2007 that set KRB5_KTNAME
if auth_krb5_keytab was set in the configuration. I guess it was either
ntlm specific or was not accepted.Postfix (the other half of my solution -- though the version I am using doesn't do SASL LDAP yet, but 2.9.x does) allows you, in the configuration, to set what environment variables it should not unset and even define new ones (an example -- import_environment = KRB5_KTNAME=/etc/dovecot/krb5.keytab). This may be a good solution for Dovecot specifically for things like this. I would rather not have to run bash or any other shell just to set the environment variable. I will for the time being. Thank you, as always, Trever --
signature.asc
Description: OpenPGP digital signature
