On Thu, 21 Feb 2008, Simon Wilkinson wrote:
On 20 Feb 2008, at 14:12, Tobias Franzén wrote:
The tricky part is the web mail. I want users to login to the web mail
via Cosign, and the simplest way would be if I could use a Kerberos
ticket to gain access to smtp, imap and ldap all in one go. I haven't
found a web mail system that can use GSSAPI straight away (either via
Cosign, mod_auth_kerb, SPNEGO or some other SSO setup). And from what
I've read in the mail list archives, you don't use this, but instead
have some local proxy with only simple username "login".
This isn't true. We're running IMP here in exactly this
configuration. IMP gets a Kerberos ticket from somewhere (in our case
cosign, but this works just as well with mod_auth_kerb doing SPNEGO),
and uses that to authenticate through to the IMAP server using GSSAPI.
It's been a while since I looked at this - when I prototyped it, a
small change was required to the PHP IMAP module in order to enable
GSSAPI authentication. I know that the people who actually run our
central mail service are on this list - so hopefully one of them will
pop up and provide further details.
I assume you mean me ;-)
Yes, we certainly used to do it that way. However, we no longer use GSSAPI
authentication in our new IMP/Cyrus setup except for managing sieve
scripts. However, what Simon says is correct and the only thing you need
to tweak in the PHP compilation is the order in which authentication
modules are tried in the php_imap.c extension. If you leave it with the
default, then it first tries password login, MD5 checksums and then
GSSAPI, by which time you've probably given up and gone home. Of course
your c-client library that you link PHP to when you compile needs to have
GSSAPI support compiled into it too.
Graeme
--
Graeme Wood, Unix Section of the IT Infrastructure Division,
Information Services, The University of Edinburgh
Email: [EMAIL PROTECTED] Phone: +44 131 650 5003 Fax: +44 131 650 6552
The University of Edinburgh is a charitable body,
registered in Scotland, with registration number SC005336.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
