On Wed, 2011-06-01 at 11:25 +0200, Jahnke-Zumbusch, Dirk wrote:
> For now my section for the passdb in the Director instance is
>
> passdb {
> driver = static
> args = proxy=y nopassword=y
> }
>
> So the backend will do the authentication of the session. But this setup
> inhibits using Kerberos, as the TGT is not forwarded to the backend
> server.
Right..
> I would very much like to provide GSSAPI/Kerberos authentication, which
> already works fine with the backend servers being directly connected by
> mail clients. The backend servers are using the PAM driver.
>
> I could not figure out, how to setup the passdb entry for the director
> instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving
> back the necessary "proxy=y" to make director proxying the IMAP session.
PAM doesn't enable clients to use GSSAPI/Kerberos authentication. The
client would still be doing a plaintext user+password authentication. So
I don't think using PAM+Kerberos on director is useful for anything.
For real Kerberos auth you'd need to use Dovecot's own GSSAPI
authentication. But yeah, there's currently no way to return proxy=y
from GSSAPI either, because it doesn't use any passdb..
