I've tried looking through "the Google", and the mail list archives, but
my results are inconclusive at best.
My setup is basically three different servers.
Server 1: Kerberos (Heimdal), OpenLDAP (SSL/TLS required, with simple
bind or GSSAPI auth, users have a {SASL} password), and saslauthd
locally to make simple binds work (I need this sometimes). Also a
SSL-enabled MySQL server. (No kerberos support there sadly.)
Server 2: Apache with goodies like PHP and CoSign module, and cosignd
running on the same machine. Kerberos login work. Haven't tried much
more, or done anything with tickets.
Server 3, the mail server, is not yet configured. Here I plan to use
Postfix for SMTP, Dovecot for IMAP, and have things like Spamassasin and
antivirus. Postfix and Dovecot both support GSSAPI, which is part of the
reason I picked them. Also, I have mail stored in the Maildir format
from before, and I want to keep it that way, so I can't use Cyrus-imap
(no Maildir support) or Courier-imap (no SASL/GSSAPI support).
The tricky part is the web mail. I want users to login to the web mail
via Cosign, and the simplest way would be if I could use a Kerberos
ticket to gain access to smtp, imap and ldap all in one go. I haven't
found a web mail system that can use GSSAPI straight away (either via
Cosign, mod_auth_kerb, SPNEGO or some other SSO setup). And from what
I've read in the mail list archives, you don't use this, but instead
have some local proxy with only simple username "login".
I use SquirrelMail for my current setup (simple SSL plain text auth
based), but there is no real reason I must stick with SquirrelMail. My
users probably won't mind as long as I can get a SSO setup working. And
as far as I can tell, they are currently discussing whether or not to
add GSSAPI support in SquirrelMail 1.5.2, but that is still a long way off.
So what I'm asking is if there is some web mail system that you know of
that already has support for a pure GSSAPI/Kerberos ticket
authentication, or if any of you have made such modifications yourself,
that you are willing and able to share?
Other alternatives are also welcome, but I'd rather it at least included
some connection to LDAP for verification/validation of users, possibly
via a simple "anonymous" search, and not just relied on an existing
Maildir = a valid account (like you use at UMich, if I am not mistaken).
(I guess you could restrict access to the web mail itself via Cosign
Factors before it even got to this point though.)
/Tobias
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
