On 01/30/2012 10:20 AM, Dale Macartney wrote:
> Hi Erinn
> I originally asked the question as I was thinking my auth attempts were
> failing when using ipa, however this was not the case.
> On closer inspection, i found that the authentication was successful yet
> dovecot was failing to read a "missing" mailbox.
> I found that dovecot was simply missing the mailbox_location directive,
> detailed below.
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> Once I restarted dovecot with this extra line, the authentication was
> again validated. I was then prompted to accept the self-signed
> certificate from dovecot and I was able to retrieve the mail as intended.
> Does this help clear things up?
> Dale

>> So I am a bit confused here, is this working for you or not? It looked
>> like you were asking a question to begin with, but then at then end you
>> are saying it is 100% working?
>> Just trying to figure out whether you need help,
>> -Erinn

Hey sounds good to me, just glad it is working for you :). The only
other question/suggestion I have is that it looks like you aren't
leveraging kerberos in your configuration for SSO, You might want to
think about doing this as it can be a pretty nice configuration.

Essentially you would just need to add service principles for the host
in the form of imap and or pop, and change the auth line in your dovecot
config to allow for gssapi auth, like so:

sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"

Then assuming your user has a ticket, and their client is properly
configured, they no longer need to do anything upon logging into their
system, kerb will auth the rest.

If you are on a multihomed system, you will need two additional changes,
service principles for the other host name, and the following modification:
sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'

I got a little caught up when you referenced the /etc/krb5.keytab file
as possibly part of the problem so I thought this was more a kerb issue.


Attachment: signature.asc
Description: OpenPGP digital signature

Freeipa-users mailing list

Reply via email to