It’s actually unbelievable how much slower LDAP auth is than PAM. Does anyone have any suggestions how I can improve Dovecot LDAP auth? I have tried caching authentications and that doesn’t help either.
~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 > On Jul 1, 2015, at 4:41 PM, Laz C. Peterson <l...@paravis.net> wrote: > > Thank you for the response Axel. I will look into that. > > I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP > authentication, but now performance is unbelievably slow. For example, with > PAM/Kerberos, a user can log into webmail and have all of their > emails/folders showing almost immediately. When using Dovecot LDAP, it takes > literally 8-10 seconds to see the same thing. > > I was hoping that was a possible replacement for this, but my goodness it was > so incredibly slow! This would definitely be an option though, as it does > serve the purpose. I just can’t figure out how to fix the performance issue. > Any thoughts to this? > > ~ Laz Peterson > Paravis, LLC > Ph: 951.319.3240 x201 > >> On Jul 1, 2015, at 3:24 PM, Axel Luttgens <axel.luttg...@skynet.be> wrote: >> >> >>> Le 1 juil. 2015 à 04:38, Laz C. Peterson >> >>> a écrit : >>> >>> I have an interesting case here … >>> >>> Virtual mailboxes, domain/username/aliases stored in MySQL, authentication >>> done using PAM. PAM authenticates through Kerberos, which are internal >>> realms and not the email domains — for example, my username would be >>> laz@PARAVIS.LOCAL <mailto:laz@PARAVIS.LOCAL> and my email address would be >>> l...@paravis.net <mailto:l...@paravis.net>. >>> >>> All of this works just fine. But what I want to do is allow the users to >>> log in using their email address and not their full Kerberos name. It is >>> becoming laborious to help the users understand the difference between >>> their username@LOCAL.REALM and username@email.address >>> <mailto:username@email.address> and why we have to have two separate >>> identities that mean the same thing. >>> >>> I have the SQL statements to convert either the Kerberos login or the email >>> address to the actual Kerberos login (so they may use either). But I >>> cannot seem to figure out how to get Dovecot to acknowledge this as the >>> mapped username. >>> >>> I’m sure there has to be a way. Any help will be greatly appreciated. >>> Thank you! >> >> Hello Laz, >> >> I fear you’ll have to resort to CheckPassword >> (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar. >> >> Indeed, your MySql database may contain everything needed to convert email >> addresses to kerb login (and vice-versa), but Dovecot’s PAM interface >> understandably just knows about a (login, password) pair, where the login is >> the one provided by the user wanting to log in. >> >> That said, I hope to be wrong, >> Axel
