Christoph
Tobias Franzén schrieb:
I've tried looking through "the Google", and the mail list archives, but my results are inconclusive at best.My setup is basically three different servers.Server 1: Kerberos (Heimdal), OpenLDAP (SSL/TLS required, with simple bind or GSSAPI auth, users have a {SASL} password), and saslauthd locally to make simple binds work (I need this sometimes). Also a SSL-enabled MySQL server. (No kerberos support there sadly.)Server 2: Apache with goodies like PHP and CoSign module, and cosignd running on the same machine. Kerberos login work. Haven't tried much more, or done anything with tickets.Server 3, the mail server, is not yet configured. Here I plan to use Postfix for SMTP, Dovecot for IMAP, and have things like Spamassasin and antivirus. Postfix and Dovecot both support GSSAPI, which is part of the reason I picked them. Also, I have mail stored in the Maildir format from before, and I want to keep it that way, so I can't use Cyrus-imap (no Maildir support) or Courier-imap (no SASL/GSSAPI support).The tricky part is the web mail. I want users to login to the web mail via Cosign, and the simplest way would be if I could use a Kerberos ticket to gain access to smtp, imap and ldap all in one go. I haven't found a web mail system that can use GSSAPI straight away (either via Cosign, mod_auth_kerb, SPNEGO or some other SSO setup). And from what I've read in the mail list archives, you don't use this, but instead have some local proxy with only simple username "login".I use SquirrelMail for my current setup (simple SSL plain text auth based), but there is no real reason I must stick with SquirrelMail. My users probably won't mind as long as I can get a SSO setup working. And as far as I can tell, they are currently discussing whether or not to add GSSAPI support in SquirrelMail 1.5.2, but that is still a long way off.So what I'm asking is if there is some web mail system that you know of that already has support for a pure GSSAPI/Kerberos ticket authentication, or if any of you have made such modifications yourself, that you are willing and able to share?Other alternatives are also welcome, but I'd rather it at least included some connection to LDAP for verification/validation of users, possibly via a simple "anonymous" search, and not just relied on an existing Maildir = a valid account (like you use at UMich, if I am not mistaken). (I guess you could restrict access to the web mail itself via Cosign Factors before it even got to this point though.)/Tobias ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
