Graeme Wood wrote: > On Thu, 21 Feb 2008, Simon Wilkinson wrote: > >> >> On 20 Feb 2008, at 14:12, Tobias Franzén wrote: >>> >>> >>> The tricky part is the web mail. I want users to login to the web mail >>> via Cosign, and the simplest way would be if I could use a Kerberos >>> ticket to gain access to smtp, imap and ldap all in one go. I haven't >>> found a web mail system that can use GSSAPI straight away (either via >>> Cosign, mod_auth_kerb, SPNEGO or some other SSO setup). And from what >>> I've read in the mail list archives, you don't use this, but instead >>> have some local proxy with only simple username "login". >> >> This isn't true. We're running IMP here in exactly this >> configuration. IMP gets a Kerberos ticket from somewhere (in our case >> cosign, but this works just as well with mod_auth_kerb doing SPNEGO), >> and uses that to authenticate through to the IMAP server using GSSAPI. >> >> It's been a while since I looked at this - when I prototyped it, a >> small change was required to the PHP IMAP module in order to enable >> GSSAPI authentication. I know that the people who actually run our >> central mail service are on this list - so hopefully one of them will >> pop up and provide further details. > > I assume you mean me ;-) > > Yes, we certainly used to do it that way. However, we no longer use > GSSAPI authentication in our new IMP/Cyrus setup except for managing > sieve scripts. However, what Simon says is correct and the only thing > you need to tweak in the PHP compilation is the order in which > authentication modules are tried in the php_imap.c extension. If you > leave it with the default, then it first tries password login, MD5 > checksums and then GSSAPI, by which time you've probably given up and > gone home. Of course your c-client library that you link PHP to when > you compile needs to have GSSAPI support compiled into it too. > > Graeme > So there is no modification to the IMP source needed, to get it working with Cosign? (Some configuration probably, but nothing more?) That would be great, and really only leave me one more obstacle to overcome, which is to decide what kind of functionality I want to support with my mail, and choose an LDAP schema accordingly (or possibly compose my own).
Thanks for all your quick answers. I'll likely be back with more questions if it doesn't all work out, but it might take a while. Working evenings and weekends with this hobby project of mine. /Tobias ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
